Malware Analysis Report

2024-11-13 13:46

Sample ID 240719-mbannazapa
Target SandeLLoCHECKER_Installer (2).exe
SHA256 513bdf8d578fc535a41943fb900c32dc29de645bb9327ab3497b13632e04c6fc
Tags
rat dcrat infostealer persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

513bdf8d578fc535a41943fb900c32dc29de645bb9327ab3497b13632e04c6fc

Threat Level: Known bad

The file SandeLLoCHECKER_Installer (2).exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer persistence spyware stealer

Modifies WinLogon for persistence

DcRat

DCRat payload

Dcrat family

Process spawned unexpected child process

DCRat payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-19 10:16

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 10:16

Reported

2024-07-19 10:19

Platform

win7-20240704-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\smss.exe\"" C:\chainproviderBrowsersvc\surrogateweb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\smss.exe\", \"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\lsm.exe\"" C:\chainproviderBrowsersvc\surrogateweb.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\chainproviderBrowsersvc\surrogateweb.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\lsm.exe\"" C:\chainproviderBrowsersvc\surrogateweb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Installer\\{AC76BA86-7AD7-1033-7B44-A90000000001}\\lsm.exe\"" C:\chainproviderBrowsersvc\surrogateweb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\MSBuild\\smss.exe\"" C:\chainproviderBrowsersvc\surrogateweb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\MSBuild\\smss.exe\"" C:\chainproviderBrowsersvc\surrogateweb.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\MSBuild\smss.exe C:\chainproviderBrowsersvc\surrogateweb.exe N/A
File opened for modification C:\Program Files\MSBuild\smss.exe C:\chainproviderBrowsersvc\surrogateweb.exe N/A
File created C:\Program Files\MSBuild\69ddcba757bf72 C:\chainproviderBrowsersvc\surrogateweb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\chainproviderBrowsersvc\surrogateweb.exe N/A
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\101b941d020240 C:\chainproviderBrowsersvc\surrogateweb.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\chainproviderBrowsersvc\surrogateweb.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\chainproviderBrowsersvc\surrogateweb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe C:\Windows\SysWOW64\WScript.exe
PID 2216 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe C:\Windows\SysWOW64\WScript.exe
PID 2216 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe C:\Windows\SysWOW64\WScript.exe
PID 2216 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe C:\Windows\SysWOW64\WScript.exe
PID 2796 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\chainproviderBrowsersvc\surrogateweb.exe
PID 2716 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\chainproviderBrowsersvc\surrogateweb.exe
PID 2716 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\chainproviderBrowsersvc\surrogateweb.exe
PID 2716 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\chainproviderBrowsersvc\surrogateweb.exe
PID 2792 wrote to memory of 3052 N/A C:\chainproviderBrowsersvc\surrogateweb.exe C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe
PID 2792 wrote to memory of 3052 N/A C:\chainproviderBrowsersvc\surrogateweb.exe C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe
PID 2792 wrote to memory of 3052 N/A C:\chainproviderBrowsersvc\surrogateweb.exe C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe
PID 3052 wrote to memory of 2196 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2196 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2196 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2068 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2068 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2068 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2188 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2188 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2188 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2196 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2196 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 3052 wrote to memory of 720 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 720 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 720 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2188 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2188 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2068 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2068 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2068 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 3052 wrote to memory of 2452 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2452 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2452 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2372 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2372 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2372 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 720 wrote to memory of 296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 720 wrote to memory of 296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 720 wrote to memory of 296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2452 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2452 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2452 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 3052 wrote to memory of 1872 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 1872 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 1872 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2372 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2372 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 3052 wrote to memory of 2336 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2336 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2336 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2020 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2020 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2020 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 1512 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 1512 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 1512 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 1992 N/A C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe

"C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\chainproviderBrowsersvc\1byCZNucUjtCyYTxjpkyduFHkoB.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\chainproviderBrowsersvc\1L1To0L.bat" "

C:\chainproviderBrowsersvc\surrogateweb.exe

"C:\chainproviderBrowsersvc\surrogateweb.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe'" /rl HIGHEST /f

C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe

"C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 kolasau6.beget.tech udp
RU 5.101.153.31:80 kolasau6.beget.tech tcp
RU 5.101.153.31:80 kolasau6.beget.tech tcp

Files

C:\chainproviderBrowsersvc\1byCZNucUjtCyYTxjpkyduFHkoB.vbe

MD5 899f8aaacb8d91de21a507edf16520e2
SHA1 2e81832c3da7c117b96e87a3891ca41aba7b819d
SHA256 3a8e29e95179d9794c2e3367cb170717682087650ee33b70905c4deb7fbab762
SHA512 7d19a730e8dcc78e265b19fb9c901ccd8456bbaf6d8702c25377f86fe8427c82a918b1a96a50b83ddc6363a169739106bc2e4218097d31cad8e0c0a139bf9f3e

C:\chainproviderBrowsersvc\1L1To0L.bat

MD5 3c8ed674ffedfe6b8d0c064cab60006d
SHA1 7080e2cf3d63412726841df13a193e1e56576d7f
SHA256 0a743db445078b3285505edde00ff06568dc9276d50450cb23e93dc2d13ff1fc
SHA512 26678921909b08733f2bf1e921109775b5b4d45b3be2fa7169b3a413ebe78853023a4927f2f26fc63b78a6d6dc21ed603edce39ee8cb7a703bd247a8d6aad7da

C:\chainproviderBrowsersvc\surrogateweb.exe

MD5 263dca09ac216848fa0ce9aea1f1aa04
SHA1 da162b0daf02ee8cf89a011f4a2876efb4694552
SHA256 2bb6c2c2394ec60767a70db1d9098af76e1142de9e9ad9e94c52207c121088a8
SHA512 3d7fd55d1dd95d998b14985aa9bdc6e3d152b6f9e7b52153bdedddd21514805fb3dd339cf6e712a428c329744c263cb945037c82f19c111d6ddbdc7e8d96359d

memory/2792-13-0x0000000000800000-0x0000000000932000-memory.dmp

memory/2792-14-0x00000000001C0000-0x00000000001DC000-memory.dmp

memory/2792-15-0x0000000000360000-0x0000000000376000-memory.dmp

memory/2792-16-0x0000000000380000-0x000000000038C000-memory.dmp

memory/3052-27-0x0000000000DA0000-0x0000000000ED2000-memory.dmp

C:\Users\Public\Desktop\Adobe Reader 9.lnk

MD5 9a294e0457c38130b97919696304d006
SHA1 837afc90a86573c84060fa3720f3957defc9f0c9
SHA256 b41fa0ef69701d2aa35a3cbb124a1489db7ee5ccc5cd58f544e72c2397526125
SHA512 4343165ae7c04086ad7a914f13c9a4ec3c672e62a79d21218cbfdcacfc02919abb61043003c80b23e05fb013fbb4a23e08ce62a595bfa4db330c944c70615d1f

C:\Users\Public\Desktop\Firefox.lnk

MD5 530e64636676f7e5ffbab4dcc3c0a1a5
SHA1 917cd97e7b4964607adac3b4ec8df302551304ad
SHA256 9d1f3cc1b3588a3d8b6bf8a782a3a62669f773373c55be9315ac255579b79fee
SHA512 228a0f601d9d5c69d2fdd6d090b91df62b8ae5cc55e0ecd7dae9dd5d99e6ae7e2cff252cb848fc9a485689dee745b5eb683bcea24f05bbdad8325afc10f3b61b

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 c079f7e9ca4f74909d0d7852444d5908
SHA1 10c3f967dbbc4fafd4cf3b768cfb8c10c77904cf
SHA256 02218da324909e1cf745198b7eaee0cc4ee36b7b641e2f0041541a30fe26552a
SHA512 d2297fa2b12f311617da5be04c7cf2d4ea77a7bbc1228bfab3db1c6702391f5033df883305021fe4cd0ab94eee991145fb13a896d76cdc4333cbe324f80e751a

C:\Users\Public\Desktop\VLC media player.lnk

MD5 de0c475a01f28636347a7e4019c50575
SHA1 337977a18401c362293dce49ea8047caddc44132
SHA256 7c62a19f69ce4cc618a6015d4948f3144848a2d30c6a59aeb7c7aa88f31cffac
SHA512 1934eaceb9e1a381f39104c0ddf0ea244a6ae6895284d7b874e4101b80927c196e4e5bf27d771514e7d0e1968eb61fee7715c876d6a0996754d2c66541b5ec30

C:\Users\Admin\Desktop\CompressStep.xml

MD5 1b7da05ffcba8c75ddd1d1207136cf9a
SHA1 65c0662e5d3e03dd6ab9daf0374d44fc2a7b3d99
SHA256 d595f4bfe88b8da4a74db5f0583d668a36332a5fbb65308751744769e2c4d3f8
SHA512 106d4234b38117314a3a7d3504b353f94b7fd0af6cf03066123588f453bf52d5f590a1e36cb8ab8fd5e5bc0a8f5747492c9ea07d1440ea6295c579504ea3a6b4

C:\Users\Admin\Desktop\ResetExpand.3gp2

MD5 7705b240b657f0fd6d746e84d6e04df1
SHA1 514e7f2b7fab082e8c8be31c50d876dce5d2a736
SHA256 d01f70ce4c5771203b8ece2a96b0cc77c40dd269a300a35651745cce82736aa6
SHA512 2524961722712d2c71d54084c8a389f5e87bf8dee0ec58c2dcf4a69a52727ca55c06cf62f2d0570dce797de331c601fe1c8ba7d75c0682d74af7fe403c87e6dd

C:\Users\Admin\Desktop\RedoUse.xsl

MD5 3d6d0da93bb45c3f2c13f4dd8cabcb25
SHA1 5c6d6e4f437c173b4bf2c2767eaee89fb019086c
SHA256 42188d7fbe26aef928a85acefe6e9f2cbd80851f1a3c369f9dd0b10ced4260ae
SHA512 752e195cef53a60715f4326188e9fca9c21a8046c1791c7debac237943c92ab6fe73c1d0f2c16839aaad039297eceea14f88ac724b0f637673ab1dffedf6a55c

C:\Users\Admin\Desktop\PingRedo.vdw

MD5 0e84243d788b6745b83f928f38bd66f8
SHA1 20e9ab63cda4f3624188b94a54267196d1d48f78
SHA256 25ce0069286d7a4da08223b0dc26ee4b5ab9d2e6fdce5ffac65482dba619b22b
SHA512 e3bf5a307756ce4ab3218e59fab247e34d7a8993e228822bef70167df136787a8b877c3c4ef596815d63f4c8fc541d50428f924153440e69add1d886195b455a

C:\Users\Admin\Desktop\OpenBackup.reg

MD5 404ce0347f5573f23ce1eadb35c09e36
SHA1 01868875a59b950d59900278c9e1a2ea8742b17b
SHA256 be00aedb14641e83d5cbc2ce8766d7ced92c4c9d911560defb29ed7c175a35fd
SHA512 c36504ff67832c878cef68975d796b4b21eda84fdba4b9261bd1ce380f79bcd9cee6718c13916d5dc463ebfc69ee3afc8dab040cffa3e3ac259bd03548f43b4a

C:\Users\Admin\Desktop\JoinNew.php

MD5 a8ebaa5e382df9a9074c753d902be032
SHA1 cd6a8016ff8f22a4e4a4bb69558f91943f959c59
SHA256 a7dbc8f245cfb0e2685c76b4d4e68b311e675c4d2c0cbc38e1dcecde45d51380
SHA512 4f53542d76df0d5aef709195c2987229161aca9c91f52d2021854eedb95a448beca31b51d33e95bd85f8cd6d24ad301b337f2fa4e502fddca146808cf24edbd8

C:\Users\Admin\Desktop\InvokeClose.dotm

MD5 5532be9e6581ef206d6b33bdc2cb4c25
SHA1 dcdc8cdae376fd68ecc1e4cafb00cb0830426b79
SHA256 8546b75204f669a8123cee78d4395fc1c7ebb1e195487cd1f16b78743b72a7bc
SHA512 7498b503a706ad057797eac64f3669ae83465e7519f3f9d8c99ca2d6ae216157e80881f021c2a9946da80f411ebe68af23707bafe411311e31fc4636c78cff8e

C:\Users\Admin\Desktop\ExitJoin.ini

MD5 feb0be89330a0a1211254b5a95cefaea
SHA1 769efd13184f6384f1bf173e2ef2da6f05ce25a8
SHA256 0c8b35736707a3da5e8542fddf3fb428f71a84393dc8bee5b391f37f08bcd1fd
SHA512 e7cd1a76b639c00037a5876088954b41ff6ff33ff588504065207c261530528c584043282880e8d5448f9fdd11f80b7220bc39af43822d69bdea0aece57ebd32

C:\Users\Admin\Desktop\ResumeRedo.pptm

MD5 a2b2f67dfeb0f332b76c6ba82524f8c6
SHA1 ab0082b537c1e11d0f40e260e1e96899cd10a832
SHA256 53cafc99ce6abf6b1b0021d8fd627a16aea3c3e8bd3d5a725b96bd818c30da2c
SHA512 429b2fb358e7c0a43bbd1d0c39e82bd440485e11c2f1d96c6bbdcda1906471a4f3de62a8daaa4f3c2a952d901eab9a29608d4d0192437c9768151b805270a08e

C:\Users\Admin\Desktop\ResumeRedo.au3

MD5 f490f23a949674023291d743e08679f9
SHA1 ddb48aaff37954343323aa21258ef8050ac1c879
SHA256 e2865615e6d8347a5159728b8d4ed770abc546e758d9b763339e17ccfc0fe8d8
SHA512 c3d268182f56532cdf310b0ff8125fd8a9b38c2bbdd490fa5e5a83d8cb0fc812ed8f87004b8c2a14dc27cbb0c1637a94f778ae71a1efebbd6714b6d2979467a3

C:\Users\Admin\Desktop\SkipUninstall.wma

MD5 20ecd3899657cc82350e0408064fcd97
SHA1 77036c475f4ebba6c03276c272c35018bdebeda5
SHA256 8ae588bb0a9974b60b0fa55c6582879e5858d56d045d1814696e03bea46b13e4
SHA512 f722cc5e4f203a3783cd71764854c729463d270d7350803b17725619ff33ab9ab1c87599e960c7b84e153978b126da743e6bf21b0b165030dbee7c786c572ba7

C:\Users\Admin\Desktop\TraceEdit.xlsx

MD5 5da4709f3cac7dd28b31f09f7ad75b46
SHA1 aad5827f99ed0eca575fee30f7ebbe06a97fdd52
SHA256 b385ca2f9593fd2f8a2f9d34a58f1d943a3e88681764897674e15ebb56db8f98
SHA512 297f470d23d0a21cfc046ca7a523bfa8bd4dbb8258768ab8b56e67cd2106888680bccc17a1c6f7449ecae98370acdebcf77393f5d4c7fdc5ea65b3e6799af77b

C:\Users\Admin\Desktop\UninstallDebug.docx

MD5 fd779c61d12ccd0c42821751da4f6161
SHA1 9d615a3303922805c63eb68f38cdd618f40a120a
SHA256 31fd1fdf61d95a3f8955f82506db413373ce5be523e5c76caf47ecb322cf3aae
SHA512 57b8120291b90836440b28bebeea56a9d92ce4de762e30f41d110636ad2158b9abdd0659a091bd6af1fd34f9cc8485be3089d37748a04c79323b6b741f13ff45

C:\Users\Admin\Desktop\JoinWait.docx

MD5 30b4ffa5d33588471d0c9eb2f95c3332
SHA1 28abfce3b85a7b1786b3425c1c3ac23106f313e8
SHA256 c8b72f8cea58559176c9e6eb5e3eecdcfd9f5cacefaef21c46c9b634a42a4058
SHA512 fdbd697ef098c5561ec327409eab5e7355e0bc4200a46c321bf74f78f4963c8f6e841064889bd0a321e3c05f31822562217cf95ad161acbd4161913aa6e63270

C:\Users\Admin\Desktop\UnblockSuspend.rmi

MD5 50a22d78183ee7943c6a0a9be6b52b1f
SHA1 bd7c64608303a61b6eaa70b8be661d457832a178
SHA256 63728fcfddcafe284634cea90957b44a138aad6f8042c77c1b8ab5739a0288cc
SHA512 9bf4b4dfde1caa3f8e39c971f9aa22ee1cf9bfcdd26066755a092088df59548e77a29acc2a1c47c5df9c1c8092df0d5810af57b1e47d1fdba08a9719c3a0a0ba

C:\Users\Admin\Desktop\UnblockFormat.wpl

MD5 c5490729c8d6132ed40b353492c34df5
SHA1 d7035bdb7010f5281c10d3f21f9d65ab896475d1
SHA256 e388ef97f514668dfd17035fe0ee0ce63b5f9783fc442a8a2f3153554e85bca2
SHA512 8d8cdd95439cf83358b14bffa4d057b04d27a8007bd9744ba61b923c37f910f504fe5614ea537f1df4400008021f8805b0b4f1c24ee2fc4e18660501d47457a6

C:\Users\Admin\Desktop\StepResume.rar

MD5 2a17a29ae12a3dcc69665e97a9c6cdae
SHA1 618d0d46586edd86948295299b748711da8373e4
SHA256 167861b6567b60b00d7f146729377d6c18c88a1c0c5e755bca5b60e0a71c9780
SHA512 72ee8b168c2520ce81f0fe0b7881f94d5c9d5d1e10c5a187c4feebe5355172daef6a5148b8aaf69c8dc4b11e9f318c1881208e34b93a5f94b726e0130045af2c

C:\Users\Admin\Desktop\StepExport.DVR

MD5 c8aa882f0adaf6e07a6f24bcb191af4b
SHA1 4469c7e52122db857cff447631dd382e85d273c2
SHA256 944574c7f601b73065b86713f8e2cb54d1412edd41f5e610e54ceeb615d8e969
SHA512 0a317f4366a28ae54e59aaa54399fb9b08f98f79630d6052d4f3296fdd559d22cb05ddd972949e0d380cf2539f3c6ec34bf8aae415e1ae38d107c47e0df274e5

C:\Users\Admin\Desktop\SetStep.gif

MD5 877aee9c4c6386db2046ea668bb5a2b2
SHA1 a5c23872720ad88eb587aae2d94d0bf3aec84bad
SHA256 cd510f204a83c10474db2cffd133e41788fa6255705a05889b9608ff7bbc80d4
SHA512 86d9b9bc81f62799cb1fc1e6b577be29c64a49881cabcf289279fce397dad7fa07ea0b2d1886f70569038b1db7cbf38c90550bac7e189dfd211afed94fb7548d

C:\Users\Admin\Desktop\DebugSuspend.midi

MD5 fa117e48934c1d030f849f1af3362507
SHA1 a576952c37f9ed55710bd23e5ceec9c50f65c677
SHA256 45bdd8b09b059dfc401d31736c11daa58c12da0ac939e4a5573e8b896bc650ca
SHA512 d252583fd45471f4a8a7891fb7170ab6ba8c866db27e78a2b98ac654754e6a59273f069356dc42b57fa019b4fc764f1aee504239aedc4376c8058c0e4b88ea9e

C:\Users\Admin\Desktop\DenyPing.cab

MD5 e3fe4136e89d9926e424fd52175e351d
SHA1 32043125f702bf61abcbbac74431466f24aedbee
SHA256 8efd494f7225c2c743c7f4d3254977102283ea97fa056f57c3adcd1ba8ad3c8d
SHA512 089149d414a9eab5159733784357cc87103e6f500dcc3825d022c7f4ddb79e2bb9a15e58858737a0e1cb8479a9f02833fb5691293a23c7b76f3a78b2614c029b

C:\Users\Admin\Desktop\DisableSet.mhtml

MD5 31492c1dcf54a883e16c30c4db1bc047
SHA1 24744d0630a573b8ea411c7e324b93981ec9da8b
SHA256 6fdbebdcb81eefb9ab032172c9dcaca2e9edad4e8632104ca9175a26e4c8499c
SHA512 a774daddb1a5593a7deb612c8d2684264c3761dfa34161dcffc2cc399668efb38c886ae675eb100b2ceb48f56756bcdf3ec2ef5d0d0ce3a12613a762d69579f4

C:\Users\Admin\Desktop\ProtectDisconnect.vsdx

MD5 611f87458ff88a4fe58ac8bd5dd09f3c
SHA1 36ff18b2cd5366a8394620e6cb5446b091091808
SHA256 92808dbce6c77cf429fa38f4ae73bd2d2d43423e61b765e147ce614060ca8e72
SHA512 a5a5944a1b061df513aec34a4c97125fce3e079bde930175fc6a90983993274cb1c91377dcbf99be99ad8bdc3895975d2627104bba3cd1ad10c10f12b49e8296

C:\Users\Admin\Desktop\ProtectTrace.docx

MD5 b86aa5198c2f66eeb90928d29b50fb5a
SHA1 f81f2558e4ac2198245009180c29da90c9605104
SHA256 f040c7b0a60324f6dcc7e3d997aee317d23c53e6e8621cb4f10af9d227a3b312
SHA512 2f64fd29afb1c2df286f73cd254183712e59d16f9cdab0da349833f428189af0856e1bd7ca807ae7064cdcdd13b00ca5556f4f01a34136d7eeafe37f161625c8

C:\Users\Admin\Desktop\PushRegister.ppsx

MD5 b22e37a44957a74443e20e6b0841325f
SHA1 42b372c879a1977021f0061b0e3b1b0503e58c73
SHA256 bb98b8433286428165673249e1eef3e3adc68062f111ddd9c64c58b426c9838d
SHA512 682c9ced4d3ab9a7180686c1fe4bb3b58dbe1fc43904e16e66066774218665d62818f47d3608676e0abb1f3b225b86114b2c00e45535fe30dcdf021b8fb215ac

C:\Users\Admin\Desktop\WritePing.ttf

MD5 6728320b5059787de5834b5262c155dd
SHA1 7f78cd349b81139b554c4562ef64965517637d90
SHA256 51516ef940f3a8973eb30e593a0905b303c16ee429e5df7087f9e9fc4ce4b580
SHA512 3d7ff8c45cd0a9586adbb433445ec64a66e9cd0cbafea926a979946bb97b556ab982859b264a075bc2121b764a3a3036aaab4ec3d161f73cce484652ea3c299b

C:\Users\Admin\Desktop\DismountRename.vstx

MD5 ee1b544fbab7f13ffb0cd81d882585df
SHA1 8468cf930c7ece63569f1cb5750a6b0dd8063b90
SHA256 e86f683d7ae67cfbc0b7e7154f9affd873a98b4b16626e116d00a24fea40e307
SHA512 82ed5025d5ffecd43f0629831aa45bd322489ed18ab06dd7b13024b11fa2ab9b57f3dbc2074a7ab20efc511755141433f59435ca44f51dd955152fdf6efdbf90

C:\Users\Admin\Desktop\EnterSave.hta

MD5 863c8555ad239e67c5c580646f2b3947
SHA1 433d6b80a4796641a60304d6a0d123b145ff0e25
SHA256 f8309356b4f0b59430d42c0f4e128fe41df5bd5e2048bdd7ba3c7dc0d09ffd21
SHA512 2a673f155dfcd9f1bea8f485a3788d3960d37628ff69131dc40f39417c9cd306948ae2779dcf610e560f427da745631d838067abd1e3aa18f7fd4bd9b876a73d

C:\Users\Admin\Desktop\MeasureDismount.WTV

MD5 06acebf17c8d9d50238062819ad448bf
SHA1 16d9ff9c76993b5be387b1d63d938679ceaad303
SHA256 e823fe3009d2a9e7986fc017984bf88a3282a6798358782dc66f5feea5cae86f
SHA512 08bd1e8dd9462b782ccbf0d67248461e07a15e34fc8baaa17ae2fab8312fe1daec1e2097c51c23f12675c713794b765a4b21e90f787efe16cb43ba40e313062c

C:\Users\Admin\Desktop\UninstallRead.odp

MD5 4fd51ac81a90f3edef00b9e7b20cf079
SHA1 9b63ea3237d92c2dbf94658e0839eb265d5d75a6
SHA256 2a005188cdab09393dc9d50f8014d4a7809203c20b8e3c93477d2a3f8a907685
SHA512 f4ab287dfcc41f6812a35e1cdabf4c2156b56674889fb1062b2e199de1699ef878af7d91a895f7ac56647ef2696d5e02fd0c9d2a6574ad79bafbe0c250fe05f7

C:\Users\Admin\Desktop\ShowTest.svgz

MD5 c4eabecf8b0c4becdfa5f03d60fe9ff9
SHA1 6765bad3b98934e28668efbdba168377d7ecc222
SHA256 655960f3c1807b51852b1cd10d7a4104944c7694be227f4f721856c4fc0688fe
SHA512 c2991f25760b8f09d30db9d7bbd07fc2368a7c44370259d346848aef7c8b16f0e7c013ddda47b908e17020a04f9a4e2e8b6978f4c18738fac73c21ab6905d258

C:\Users\Admin\Desktop\WatchPop.ppsx

MD5 21e308fbba5ec54e0f753827582787ad
SHA1 f10484284aae17689ea590690b81c9cc9b941565
SHA256 8ead40df4284853b923af8d8f96ed9ef7735b87e52fcbf73e827938c46f3cf5f
SHA512 ad2eafc59f12b858e59af3fa676358db5dbd71ff4a8405a9c5bbb46562b14a160a0cd2820d9e7ea9c2147f8927df5169e543232f5562b180661a74b6e603e207

C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat

MD5 2020ae7235e4ca2d098b2a6acfd6a923
SHA1 b390363f25cf5539bbaefffe4805893a3fd4f016
SHA256 caec56565830252605e355886227771736c3d40808a423e97f93a2dcb632a34e
SHA512 13a3b1ebec1f09d0eee9866e8c403c66a29fb530b0c9056246d623e495fac915b5868471b51d95c869636eded94b6115d234a645971d27e7b14eeeda5ecbf9fa

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 10:16

Reported

2024-07-19 10:19

Platform

win10v2004-20240709-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\"" C:\chainproviderBrowsersvc\surrogateweb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\chainproviderBrowsersvc\\conhost.exe\"" C:\chainproviderBrowsersvc\surrogateweb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\chainproviderBrowsersvc\\conhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\smss.exe\"" C:\chainproviderBrowsersvc\surrogateweb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\", \"C:\\chainproviderBrowsersvc\\conhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\smss.exe\", \"C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\unsecapp.exe\"" C:\chainproviderBrowsersvc\surrogateweb.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\chainproviderBrowsersvc\surrogateweb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\chainproviderBrowsersvc\surrogateweb.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\unsecapp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\"" C:\chainproviderBrowsersvc\surrogateweb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\chainproviderBrowsersvc\\RuntimeBroker.exe\"" C:\chainproviderBrowsersvc\surrogateweb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\chainproviderBrowsersvc\\conhost.exe\"" C:\chainproviderBrowsersvc\surrogateweb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\chainproviderBrowsersvc\\conhost.exe\"" C:\chainproviderBrowsersvc\surrogateweb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\WindowsPowerShell\\smss.exe\"" C:\chainproviderBrowsersvc\surrogateweb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\WindowsPowerShell\\smss.exe\"" C:\chainproviderBrowsersvc\surrogateweb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\unsecapp.exe\"" C:\chainproviderBrowsersvc\surrogateweb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\unsecapp.exe\"" C:\chainproviderBrowsersvc\surrogateweb.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsPowerShell\smss.exe C:\chainproviderBrowsersvc\surrogateweb.exe N/A
File created C:\Program Files\WindowsPowerShell\69ddcba757bf72 C:\chainproviderBrowsersvc\surrogateweb.exe N/A
File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath\unsecapp.exe C:\chainproviderBrowsersvc\surrogateweb.exe N/A
File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath\29c1c3cc0f7685 C:\chainproviderBrowsersvc\surrogateweb.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\unsecapp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\chainproviderBrowsersvc\surrogateweb.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\unsecapp.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe

"C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\chainproviderBrowsersvc\1byCZNucUjtCyYTxjpkyduFHkoB.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\chainproviderBrowsersvc\1L1To0L.bat" "

C:\chainproviderBrowsersvc\surrogateweb.exe

"C:\chainproviderBrowsersvc\surrogateweb.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\chainproviderBrowsersvc\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\chainproviderBrowsersvc\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\chainproviderBrowsersvc\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\chainproviderBrowsersvc\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\chainproviderBrowsersvc\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\chainproviderBrowsersvc\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\unsecapp.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\unsecapp.exe

"C:\Program Files (x86)\Common Files\Oracle\Java\javapath\unsecapp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 kolasau6.beget.tech udp
RU 5.101.153.31:80 kolasau6.beget.tech tcp
RU 5.101.153.31:80 kolasau6.beget.tech tcp
US 8.8.8.8:53 31.153.101.5.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\chainproviderBrowsersvc\1byCZNucUjtCyYTxjpkyduFHkoB.vbe

MD5 899f8aaacb8d91de21a507edf16520e2
SHA1 2e81832c3da7c117b96e87a3891ca41aba7b819d
SHA256 3a8e29e95179d9794c2e3367cb170717682087650ee33b70905c4deb7fbab762
SHA512 7d19a730e8dcc78e265b19fb9c901ccd8456bbaf6d8702c25377f86fe8427c82a918b1a96a50b83ddc6363a169739106bc2e4218097d31cad8e0c0a139bf9f3e

C:\chainproviderBrowsersvc\1L1To0L.bat

MD5 3c8ed674ffedfe6b8d0c064cab60006d
SHA1 7080e2cf3d63412726841df13a193e1e56576d7f
SHA256 0a743db445078b3285505edde00ff06568dc9276d50450cb23e93dc2d13ff1fc
SHA512 26678921909b08733f2bf1e921109775b5b4d45b3be2fa7169b3a413ebe78853023a4927f2f26fc63b78a6d6dc21ed603edce39ee8cb7a703bd247a8d6aad7da

C:\chainproviderBrowsersvc\surrogateweb.exe

MD5 263dca09ac216848fa0ce9aea1f1aa04
SHA1 da162b0daf02ee8cf89a011f4a2876efb4694552
SHA256 2bb6c2c2394ec60767a70db1d9098af76e1142de9e9ad9e94c52207c121088a8
SHA512 3d7fd55d1dd95d998b14985aa9bdc6e3d152b6f9e7b52153bdedddd21514805fb3dd339cf6e712a428c329744c263cb945037c82f19c111d6ddbdc7e8d96359d

memory/3880-12-0x00007FFC54EC3000-0x00007FFC54EC5000-memory.dmp

memory/3880-13-0x0000000000530000-0x0000000000662000-memory.dmp

memory/3880-14-0x0000000000E50000-0x0000000000E6C000-memory.dmp

memory/3880-15-0x000000001B950000-0x000000001B9A0000-memory.dmp

memory/3880-16-0x000000001B7C0000-0x000000001B7D6000-memory.dmp

memory/3880-17-0x0000000000F80000-0x0000000000F8C000-memory.dmp