Malware Analysis Report

2025-08-10 14:19

Sample ID 241003-zzezhazfqg
Target 108371ef36e513fe10d28555b11f25d5_JaffaCakes118
SHA256 a810d7db2f261f9407731d7122361b3df0e83501a0a2fbd2c32aaac6c651a456
Tags
ramnit banker discovery spyware stealer trojan upx worm evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a810d7db2f261f9407731d7122361b3df0e83501a0a2fbd2c32aaac6c651a456

Threat Level: Known bad

The file 108371ef36e513fe10d28555b11f25d5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker discovery spyware stealer trojan upx worm evasion persistence

Modifies WinLogon for persistence

Ramnit

UAC bypass

Drops startup file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

UPX packed file

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-03 21:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-03 21:09

Reported

2024-10-03 21:11

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe"

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation \??\c:\users\admin\appdata\local\temp\tbwotahm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation \??\c:\users\admin\appdata\local\temp\tbwotahm.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\tbwotahm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\tbwotahm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\tbwotahm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2642545023" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135192" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135192" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BD2F1F2E-81CB-11EF-BFD9-D6586EC96307} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135192" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2444263711" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3400000034000000ba04000099020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2443794884" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434754727" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2443794884" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135192" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2444263711" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff1a0000001a000000a00400007f020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135192" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\tbwotahm.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\tbwotahm.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\tbwotahm.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\tbwotahm.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\tbwotahm.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\tbwotahm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe
PID 3044 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe
PID 3044 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe
PID 3044 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe
PID 3044 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe
PID 3044 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe
PID 3044 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe
PID 3044 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe
PID 1008 wrote to memory of 3264 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 3264 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 3264 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 3264 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 3264 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 3264 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 3264 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 3264 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 3264 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 3264 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 3528 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1008 wrote to memory of 3528 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1008 wrote to memory of 3528 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3528 wrote to memory of 4552 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 3528 wrote to memory of 4552 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4552 wrote to memory of 4024 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4552 wrote to memory of 4024 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4552 wrote to memory of 4024 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1008 wrote to memory of 2628 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 2628 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 2628 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 2628 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 2628 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 2628 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 2628 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 2628 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 2628 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 2628 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 1008 wrote to memory of 3996 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1008 wrote to memory of 3996 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1008 wrote to memory of 3996 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3996 wrote to memory of 2580 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 3996 wrote to memory of 2580 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4552 wrote to memory of 396 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4552 wrote to memory of 396 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4552 wrote to memory of 396 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1008 wrote to memory of 3100 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe
PID 1008 wrote to memory of 3100 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe
PID 1008 wrote to memory of 3100 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe
PID 3100 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe \??\c:\users\admin\appdata\local\temp\tbwotahm.exe
PID 3100 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe \??\c:\users\admin\appdata\local\temp\tbwotahm.exe
PID 3100 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe \??\c:\users\admin\appdata\local\temp\tbwotahm.exe
PID 3100 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe \??\c:\users\admin\appdata\local\temp\tbwotahm.exe
PID 3100 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe \??\c:\users\admin\appdata\local\temp\tbwotahm.exe
PID 3100 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe \??\c:\users\admin\appdata\local\temp\tbwotahm.exe
PID 3100 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe \??\c:\users\admin\appdata\local\temp\tbwotahm.exe
PID 3100 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe \??\c:\users\admin\appdata\local\temp\tbwotahm.exe
PID 1808 wrote to memory of 2116 N/A \??\c:\users\admin\appdata\local\temp\tbwotahm.exe C:\Windows\SysWOW64\svchost.exe
PID 1808 wrote to memory of 2116 N/A \??\c:\users\admin\appdata\local\temp\tbwotahm.exe C:\Windows\SysWOW64\svchost.exe
PID 1808 wrote to memory of 2116 N/A \??\c:\users\admin\appdata\local\temp\tbwotahm.exe C:\Windows\SysWOW64\svchost.exe
PID 1808 wrote to memory of 2116 N/A \??\c:\users\admin\appdata\local\temp\tbwotahm.exe C:\Windows\SysWOW64\svchost.exe
PID 1808 wrote to memory of 2116 N/A \??\c:\users\admin\appdata\local\temp\tbwotahm.exe C:\Windows\SysWOW64\svchost.exe
PID 1808 wrote to memory of 2116 N/A \??\c:\users\admin\appdata\local\temp\tbwotahm.exe C:\Windows\SysWOW64\svchost.exe
PID 1808 wrote to memory of 2116 N/A \??\c:\users\admin\appdata\local\temp\tbwotahm.exe C:\Windows\SysWOW64\svchost.exe
PID 1808 wrote to memory of 2116 N/A \??\c:\users\admin\appdata\local\temp\tbwotahm.exe C:\Windows\SysWOW64\svchost.exe
PID 1808 wrote to memory of 2116 N/A \??\c:\users\admin\appdata\local\temp\tbwotahm.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe

"c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3264 -ip 3264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 208

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4552 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2628 -ip 2628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 208

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4552 CREDAT:17416 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe

"C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe" elevate

\??\c:\users\admin\appdata\local\temp\tbwotahm.exe

"c:\users\admin\appdata\local\temp\tbwotahm.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2116 -ip 2116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 204

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4552 CREDAT:17422 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1912 -ip 1912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 204

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4552 CREDAT:17428 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe

"C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe" elevate

\??\c:\users\admin\appdata\local\temp\tbwotahm.exe

"c:\users\admin\appdata\local\temp\tbwotahm.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2776 -ip 2776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 204

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 208

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4552 CREDAT:17438 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe

"C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe" elevate

\??\c:\users\admin\appdata\local\temp\tbwotahm.exe

"c:\users\admin\appdata\local\temp\tbwotahm.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2552 -ip 2552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 204

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4936 -ip 4936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 216

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 api.bing.com udp

Files

memory/1008-0-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1008-2-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1008-4-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1008-7-0x0000000000560000-0x0000000000561000-memory.dmp

memory/1008-6-0x0000000000550000-0x0000000000551000-memory.dmp

memory/1008-8-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3264-11-0x0000000000180000-0x0000000000181000-memory.dmp

memory/3264-10-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/1008-12-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1008-13-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1008-14-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1008-17-0x0000000077D42000-0x0000000077D43000-memory.dmp

memory/1008-19-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1008-20-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1008-21-0x0000000077D42000-0x0000000077D43000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe

MD5 108371ef36e513fe10d28555b11f25d5
SHA1 989275215b0497d1d5eb16d34548183bffb3f333
SHA256 a810d7db2f261f9407731d7122361b3df0e83501a0a2fbd2c32aaac6c651a456
SHA512 82385b6e26c9e650b5da73841927505b338d0312278ac438c084f0542afaac4fc9207cdb41f2b0dc1cc2fc896fe06385187d170554c0ebd142452d5987618538

memory/1808-40-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1808-39-0x0000000020010000-0x000000002001C000-memory.dmp

memory/1808-38-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1808-37-0x00000000004E0000-0x00000000004E1000-memory.dmp

memory/1808-36-0x00000000004D0000-0x00000000004D1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 6de4427d02d49cee2c46a8fead1fafa8
SHA1 bee49bf0e4452ca72442face8e655bf4a8c3af17
SHA256 46d5cd7ff558e5c788807eb674587359c6a660cef091eb420676977e49833d53
SHA512 c80311bb92f9f49de96d06e9a76a3ef0310365999f00f401fd003d438b66744a88f093b5887e1723c6b8179798697ec24c4b2bda489323337f6cec6d28ef6434

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 1b9a640c68fa6d04de6d74ceb4f07f3f
SHA1 c92ae9ba07e8b0366800284ff7b9aaf332559b31
SHA256 bbbce8e618ed89eeb136477cad3d711b66358de50ef03ffbe069593a219357ed
SHA512 612346ba0801823f84e62eea384acbef4c41d58d367112c1f24f53ac97c587e615c43b2150a696a7207e434d053cffc58f1f0899c9d93ac6ae35e08bdbb9c0ea

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver6184.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

memory/1808-54-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1808-55-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1808-56-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1808-60-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

memory/1808-71-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4288-80-0x0000000000670000-0x0000000000671000-memory.dmp

memory/4288-84-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4288-85-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4288-89-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4288-92-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4288-94-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2844-101-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/2844-100-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/2844-105-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2844-106-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2844-110-0x0000000000400000-0x0000000000435000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-03 21:09

Reported

2024-10-03 21:11

Platform

win7-20240903-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\vwfrhnot\\edwdfdud.exe" C:\Windows\SysWOW64\svchost.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edwdfdud.exe C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edwdfdud.exe C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\EdwDfdud = "C:\\Users\\Admin\\AppData\\Local\\vwfrhnot\\edwdfdud.exe" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1916 set thread context of 2388 N/A C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe
PID 2152 set thread context of 1888 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1260 set thread context of 2008 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1712 set thread context of 2956 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 3052 set thread context of 772 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2392 set thread context of 812 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1072 set thread context of 3016 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 928 set thread context of 604 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1824 set thread context of 896 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2212 set thread context of 3040 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 652 set thread context of 2592 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2144 set thread context of 2192 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2256 set thread context of 2316 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2992 set thread context of 2736 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2124 set thread context of 1516 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1724 set thread context of 2740 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2816 set thread context of 1092 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1608 set thread context of 1752 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2944 set thread context of 536 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2348 set thread context of 2072 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2588 set thread context of 1860 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2368 set thread context of 1612 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1548 set thread context of 2336 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1728 set thread context of 960 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1812 set thread context of 1496 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2340 set thread context of 2104 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2880 set thread context of 2732 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2992 set thread context of 2884 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1916 set thread context of 272 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1232 set thread context of 1724 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2872 set thread context of 2648 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2424 set thread context of 1108 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 660 set thread context of 2644 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 356 set thread context of 2120 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2788 set thread context of 2700 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2452 set thread context of 692 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 484 set thread context of 2948 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 300 set thread context of 1824 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1728 set thread context of 980 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 3036 set thread context of 2920 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1600 set thread context of 2924 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2880 set thread context of 864 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2572 set thread context of 3064 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2604 set thread context of 2152 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2076 set thread context of 2600 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2872 set thread context of 2816 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1432 set thread context of 2652 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2952 set thread context of 2864 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2280 set thread context of 1472 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1300 set thread context of 2960 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1664 set thread context of 1356 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2784 set thread context of 2252 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2472 set thread context of 548 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1840 set thread context of 2432 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2792 set thread context of 308 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2060 set thread context of 1732 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2908 set thread context of 2636 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2748 set thread context of 1916 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1248 set thread context of 2528 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2844 set thread context of 2820 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1608 set thread context of 2436 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2952 set thread context of 1720 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1348 set thread context of 2444 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2936 set thread context of 1124 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434151644" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CC243D71-81CB-11EF-9A35-EAF933E40231} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A
Token: SeSecurityPrivilege N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe
PID 1916 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe
PID 1916 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe
PID 1916 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe
PID 1916 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe
PID 1916 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe
PID 1916 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe
PID 1916 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe
PID 2388 wrote to memory of 1052 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 1052 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 1052 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 1052 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 1052 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 1052 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 1052 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 1052 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 1052 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 1052 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 1052 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 3000 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 3000 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 3000 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 3000 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 3000 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 3000 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 3000 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 3000 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 3000 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 3000 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 3000 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 2152 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
PID 2388 wrote to memory of 2152 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
PID 2388 wrote to memory of 2152 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
PID 2388 wrote to memory of 2152 N/A \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
PID 2152 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2152 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2152 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2152 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2152 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2152 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2152 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2152 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1888 wrote to memory of 1260 N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
PID 1888 wrote to memory of 1260 N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
PID 1888 wrote to memory of 1260 N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
PID 1888 wrote to memory of 1260 N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
PID 1260 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1260 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1260 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1260 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1260 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1260 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1260 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1260 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 2008 wrote to memory of 1712 N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
PID 2008 wrote to memory of 1712 N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
PID 2008 wrote to memory of 1712 N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
PID 2008 wrote to memory of 1712 N/A \??\c:\users\admin\appdata\local\temp\vircwswq.exe C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
PID 1712 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1712 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1712 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1712 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1712 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe
PID 1712 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\vircwswq.exe \??\c:\users\admin\appdata\local\temp\vircwswq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe"

\??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe

"c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275472 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\qtmapair.exe

"C:\Users\Admin\AppData\Local\Temp\qtmapair.exe" elevate

\??\c:\users\admin\appdata\local\temp\qtmapair.exe

"c:\users\admin\appdata\local\temp\qtmapair.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275479 /prefetch:2

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:209960 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\qtmapair.exe

"C:\Users\Admin\AppData\Local\Temp\qtmapair.exe" elevate

\??\c:\users\admin\appdata\local\temp\qtmapair.exe

"c:\users\admin\appdata\local\temp\qtmapair.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Users\Admin\AppData\Local\Temp\vircwswq.exe

"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate

\??\c:\users\admin\appdata\local\temp\vircwswq.exe

"c:\users\admin\appdata\local\temp\vircwswq.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 yahwvfbingmhmaf.com udp
US 8.8.8.8:53 yummcxgbkyknsbvrui.com udp
US 8.8.8.8:53 kpmqqttppsmtn.com udp
US 8.8.8.8:53 vktkpkqmlufmqwvvu.com udp
US 8.8.8.8:53 yyjiujeygdpkippa.com udp
US 8.8.8.8:53 kfbavaqqwrnjlmkrl.com udp
US 8.8.8.8:53 urktyyncfbxsk.com udp
US 8.8.8.8:53 jusfrtysjbveoqfam.com udp
US 8.8.8.8:53 vfdykmselcv.com udp
US 8.8.8.8:53 nhlbmffxvyqnebg.com udp
GB 172.217.16.238:80 google.com tcp
DE 46.165.254.195:443 yyjiujeygdpkippa.com tcp
DE 46.165.254.195:443 yyjiujeygdpkippa.com tcp
DE 195.201.179.207:443 kfbavaqqwrnjlmkrl.com tcp
IE 34.253.216.9:443 vfdykmselcv.com tcp
DE 178.162.217.107:443 jusfrtysjbveoqfam.com tcp
US 8.8.8.8:53 pjlpwukiqfqyawojk.com udp
US 8.8.8.8:53 dxlihjvfnaw.com udp
US 8.8.8.8:53 yplrvvgnusnhhc.com udp
US 8.8.8.8:53 wyewxtkaaisyp.com udp
US 8.8.8.8:53 lujboicrni.com udp
US 8.8.8.8:53 cmsokheuh.com udp
US 8.8.8.8:53 yasjobmootbenii.com udp
US 8.8.8.8:53 excbifohvjwycxpsme.com udp
US 8.8.8.8:53 tpireedi.com udp
RU 82.112.184.197:443 excbifohvjwycxpsme.com tcp
US 8.8.8.8:53 pyrtviuhjofkbbc.com udp
US 8.8.8.8:53 jngorreo.com udp
US 8.8.8.8:53 wrwbnyjkf.com udp
US 8.8.8.8:53 qjfntaopkoipxeq.com udp
US 8.8.8.8:53 igknltsa.com udp
US 8.8.8.8:53 ejkcuvcajudj.com udp
US 8.8.8.8:53 dajjnyedlupjcm.com udp
US 8.8.8.8:53 ijmsuhmsljxbtotr.com udp
US 8.8.8.8:53 sejrwuivxhqlsafqes.com udp
US 8.8.8.8:53 fvvkggqgtfjjyce.com udp
US 8.8.8.8:53 ggbvbefqftds.com udp
US 8.8.8.8:53 acwyccsiwldmqlpwku.com udp
US 8.8.8.8:53 ebhvtigpnlnm.com udp
US 8.8.8.8:53 oqlbduxbnlbi.com udp
US 8.8.8.8:53 uwcjvetjdp.com udp
US 8.8.8.8:53 qhemtiukkv.com udp
US 8.8.8.8:53 wfxvtedkwrqcmldako.com udp
US 8.8.8.8:53 afbgrxqgaayynvgfaw.com udp
US 8.8.8.8:53 qhfuucaspsnwouayf.com udp
US 8.8.8.8:53 nwoxnxptevxlepfuxw.com udp
US 8.8.8.8:53 akkyqdecjnghqtc.com udp
US 8.8.8.8:53 slokdrashvktbvgdduh.com udp
US 8.8.8.8:53 nsvwcqyruivqvla.com udp
US 8.8.8.8:53 lpfrdruuqxswhkyak.com udp
US 8.8.8.8:53 pqasjtvushsjhiqqxa.com udp
US 8.8.8.8:53 rmludvia.com udp
US 8.8.8.8:53 lkmlcore.com udp
US 8.8.8.8:53 periaolu.com udp
US 8.8.8.8:53 gwqpxiwlgu.com udp
US 8.8.8.8:53 nrsaxnxgpkmnxgf.com udp
US 8.8.8.8:53 wxflbhlaxhkqddbb.com udp
US 8.8.8.8:53 wyquenvsl.com udp
US 8.8.8.8:53 jmlfkfusyhombk.com udp
US 8.8.8.8:53 pyaplyjydi.com udp
US 8.8.8.8:53 awfwufymolkitdqhwut.com udp
US 8.8.8.8:53 kffbswugxk.com udp
US 8.8.8.8:53 xbgevmjuqya.com udp
US 8.8.8.8:53 erxjeltuqcnbtkubh.com udp
US 8.8.8.8:53 libfmnmmkbi.com udp
US 8.8.8.8:53 lcudlnkpyoj.com udp
US 8.8.8.8:53 rgmraioiqm.com udp
US 8.8.8.8:53 ecemuammark.com udp
US 8.8.8.8:53 lkybqhbanxcjsidn.com udp
US 8.8.8.8:53 kfhmrffoechqgryajnc.com udp
US 8.8.8.8:53 nhkyqeetxoqsstgj.com udp
US 8.8.8.8:53 ccbbxwkuamaths.com udp
US 8.8.8.8:53 fihjtnbejrshvu.com udp
US 8.8.8.8:53 akytoytwdfkdc.com udp
US 8.8.8.8:53 tjgptxuxtl.com udp
US 8.8.8.8:53 gaxnfsewuuudy.com udp
US 8.8.8.8:53 gjreursykbm.com udp
US 8.8.8.8:53 vxdmtreb.com udp
US 8.8.8.8:53 eyrkkcefrc.com udp
US 8.8.8.8:53 oaqlhqawysnxacmsbow.com udp
US 8.8.8.8:53 hpfljqaweoyiamrcpw.com udp
US 8.8.8.8:53 egerktqrrh.com udp
US 8.8.8.8:53 llscuekpjpibv.com udp
US 8.8.8.8:53 ljntibhc.com udp
US 8.8.8.8:53 xomedjxmdgppqjgdjaa.com udp
US 8.8.8.8:53 rdnxytcgq.com udp
US 8.8.8.8:53 lmofnmhrafvw.com udp
US 8.8.8.8:53 xtyjvyrxfcm.com udp
US 8.8.8.8:53 ycvhvcqpfwsngccpcnm.com udp
US 8.8.8.8:53 leoemsaugiasvirt.com udp
US 8.8.8.8:53 gpeixwsyshd.com udp
US 8.8.8.8:53 yhfgcbufisdxornck.com udp
US 8.8.8.8:53 mcbexsgmjobninfjna.com udp
US 8.8.8.8:53 hbenmgoskqcmbrkf.com udp
US 8.8.8.8:53 ghjvrkhocmbfjvgkt.com udp
US 8.8.8.8:53 ppvmqebx.com udp
US 8.8.8.8:53 pcusjfpntuw.com udp
US 8.8.8.8:53 scwpgkmmallisjkkag.com udp
US 8.8.8.8:53 pysruicoxlmtgogfiwl.com udp
US 8.8.8.8:53 rvgilfotdlfglh.com udp
US 8.8.8.8:53 sfpeecvovnj.com udp
US 8.8.8.8:53 ewvndtvrthoadpitts.com udp
US 8.8.8.8:53 armdpidvchlgpyqgc.com udp
US 8.8.8.8:53 vwnaoeynisd.com udp
US 8.8.8.8:53 adglsupfbrn.com udp
US 8.8.8.8:53 ytltnslmp.com udp
US 8.8.8.8:53 kamytdpo.com udp
US 8.8.8.8:53 pomqkprloee.com udp
US 8.8.8.8:53 cfwiahnybdlnh.com udp
US 8.8.8.8:53 fxfkecoxwwqkqbbhcqi.com udp
US 8.8.8.8:53 oiugelaivjpmd.com udp
US 8.8.8.8:53 veoarleqgifcugyi.com udp
US 8.8.8.8:53 dcigpnabdthwwddg.com udp
US 8.8.8.8:53 ybtxwqagmkdlureo.com udp
US 8.8.8.8:53 etfugwehy.com udp
US 8.8.8.8:53 mxqayqte.com udp
US 8.8.8.8:53 dqcfdagyhgk.com udp
US 8.8.8.8:53 xplcxhseyefbfofcxqi.com udp
US 8.8.8.8:53 ocejioseopnyhh.com udp
US 8.8.8.8:53 bcxmfbhdfxhvxdsdx.com udp
US 8.8.8.8:53 nnfjvhymbtivx.com udp
US 8.8.8.8:53 fcgejxldqypasmlav.com udp
US 8.8.8.8:53 rdluchxfvejhhfrtkld.com udp
US 8.8.8.8:53 suxlnkadqwqavihf.com udp
US 8.8.8.8:53 wbylawgnume.com udp
US 8.8.8.8:53 mxjmrsce.com udp
US 8.8.8.8:53 ovjdjowwfiejsv.com udp
US 8.8.8.8:53 llerggqhwlicvekr.com udp
US 8.8.8.8:53 plhwarkytmmockwbjeb.com udp
US 8.8.8.8:53 fvgotugnkdgr.com udp
US 8.8.8.8:53 tnmgwclsulchxwefk.com udp
US 8.8.8.8:53 grrfusycbutgcdfnsuv.com udp
US 8.8.8.8:53 rjtacprqemcrhwg.com udp
US 8.8.8.8:53 jnqknbdjkcu.com udp
US 8.8.8.8:53 uelmqkkjhynkscodc.com udp
US 8.8.8.8:53 bkecrywrasvbillu.com udp
US 8.8.8.8:53 qdrudkrc.com udp
US 8.8.8.8:53 uiapugfe.com udp
US 8.8.8.8:53 ofheubnonpg.com udp
US 8.8.8.8:53 hxleirremopog.com udp
US 8.8.8.8:53 hawfbmpvawyb.com udp
US 8.8.8.8:53 ufonanyrlfp.com udp
US 8.8.8.8:53 xbopodbuqykdseh.com udp
US 8.8.8.8:53 jwfosebwnkmry.com udp
US 8.8.8.8:53 jukwtxdhybypevngin.com udp
US 8.8.8.8:53 quqmnejqwtdeqvlwb.com udp
US 8.8.8.8:53 vaywiscedyxygrrvqi.com udp
US 8.8.8.8:53 wubgyufncyfufyelf.com udp
US 8.8.8.8:53 fhlifjixtfb.com udp
US 8.8.8.8:53 tjbwbuoiklfubewlnd.com udp
US 8.8.8.8:53 bdwmhihxty.com udp
US 8.8.8.8:53 wigwdjpfb.com udp
US 8.8.8.8:53 xfeilynams.com udp
US 8.8.8.8:53 wlgywycen.com udp
US 8.8.8.8:53 vyxhnejpetmn.com udp
US 8.8.8.8:53 wikuemkpdnwtucshvk.com udp
US 8.8.8.8:53 kauekfvsf.com udp
US 8.8.8.8:53 jiyrwudoyejk.com udp
US 8.8.8.8:53 niyausoqe.com udp
US 8.8.8.8:53 cyanwmfcnstduhribs.com udp
US 8.8.8.8:53 bybrejuyorgwoa.com udp
US 8.8.8.8:53 nakmsjtcto.com udp
US 8.8.8.8:53 dqrjixyvbssx.com udp
US 8.8.8.8:53 teulpipytesuoxsykc.com udp
US 8.8.8.8:53 kffwygqbtpdh.com udp
US 8.8.8.8:53 nneuuppagyuybj.com udp
US 8.8.8.8:53 mhwalylagjuopwv.com udp
US 8.8.8.8:53 epigxtiannc.com udp
US 8.8.8.8:53 ttfxwmakjxmhm.com udp
US 8.8.8.8:53 wjcfllgi.com udp
US 8.8.8.8:53 cbdtgbrybqehdhy.com udp
US 8.8.8.8:53 myhbdthckcdfhgci.com udp
US 8.8.8.8:53 oiymosdjxwpamce.com udp
US 8.8.8.8:53 mlflokkkspswyfnfbc.com udp
US 8.8.8.8:53 thbihlxurob.com udp
US 8.8.8.8:53 qheiqcyxrqv.com udp
US 8.8.8.8:53 cpcogmsdwgbtiuqclsm.com udp
US 8.8.8.8:53 qjisnelmcjtg.com udp
US 8.8.8.8:53 cbcpyghktahyrwr.com udp
US 8.8.8.8:53 bsnuypumhfybnugcd.com udp
US 8.8.8.8:53 dkxmsbjiejuo.com udp
US 8.8.8.8:53 vcfgpasvqbwornhao.com udp
US 8.8.8.8:53 gfogxedvjwn.com udp
US 8.8.8.8:53 gehrbfqvihbryav.com udp
US 8.8.8.8:53 hyqpnvxfaxow.com udp
US 8.8.8.8:53 ljebhtoefnttelekfl.com udp
US 8.8.8.8:53 nmuhxjywumbhtp.com udp
US 8.8.8.8:53 nduktixjnlisu.com udp
US 8.8.8.8:53 eklmxfotbaofoloon.com udp
US 8.8.8.8:53 vcmkrmpjcheyag.com udp
US 8.8.8.8:53 mpnwxwqketycp.com udp
US 8.8.8.8:53 jwbknfukacrgpyk.com udp
US 8.8.8.8:53 tvqnkxbuncehk.com udp
US 8.8.8.8:53 jlkhbdbmdrqipuexn.com udp
US 8.8.8.8:53 imgggbjtifnvqna.com udp
US 8.8.8.8:53 xyylttlorypluq.com udp
US 8.8.8.8:53 ddpifoyenogceql.com udp
US 8.8.8.8:53 fjwpmgvdihxupipv.com udp
US 8.8.8.8:53 khdtsbkng.com udp
US 8.8.8.8:53 xtlctubpuyy.com udp
US 8.8.8.8:53 ygdgmmfyk.com udp
US 8.8.8.8:53 scdthwrswp.com udp
US 8.8.8.8:53 uxpunbkg.com udp
US 8.8.8.8:53 nvpwlkrdb.com udp
US 8.8.8.8:53 eyyjatakvjcfnvw.com udp
US 8.8.8.8:53 djheajwvgodxa.com udp
US 8.8.8.8:53 wnrgcbvoadriawdy.com udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.180.14:80 google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 api.bing.com udp

Files

memory/1052-17-0x0000000000050000-0x0000000000051000-memory.dmp

memory/2388-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1052-25-0x0000000000050000-0x0000000000051000-memory.dmp

memory/1052-24-0x0000000000070000-0x0000000000071000-memory.dmp

memory/2388-10-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2388-9-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2388-8-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2388-6-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2388-3-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2388-2-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2388-13-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2388-12-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1052-30-0x0000000000060000-0x0000000000061000-memory.dmp

memory/1052-26-0x0000000020010000-0x000000002001C000-memory.dmp

memory/2388-23-0x00000000778B0000-0x00000000778B1000-memory.dmp

memory/2388-22-0x00000000778AF000-0x00000000778B0000-memory.dmp

memory/2388-21-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1052-33-0x0000000020010000-0x000000002001C000-memory.dmp

memory/3000-37-0x0000000020010000-0x000000002002C000-memory.dmp

memory/3000-43-0x0000000020010000-0x000000002002C000-memory.dmp

memory/1052-31-0x0000000020010000-0x000000002001C000-memory.dmp

memory/1052-32-0x0000000020010000-0x000000002001C000-memory.dmp

memory/1052-15-0x0000000020010000-0x000000002001C000-memory.dmp

memory/2388-64-0x00000000778B0000-0x00000000778B1000-memory.dmp

memory/2388-63-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3000-57-0x0000000020010000-0x000000002002C000-memory.dmp

memory/3000-73-0x0000000020010000-0x000000002002C000-memory.dmp

\Users\Admin\AppData\Local\Temp\vircwswq.exe

MD5 108371ef36e513fe10d28555b11f25d5
SHA1 989275215b0497d1d5eb16d34548183bffb3f333
SHA256 a810d7db2f261f9407731d7122361b3df0e83501a0a2fbd2c32aaac6c651a456
SHA512 82385b6e26c9e650b5da73841927505b338d0312278ac438c084f0542afaac4fc9207cdb41f2b0dc1cc2fc896fe06385187d170554c0ebd142452d5987618538

memory/1888-98-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2956-139-0x0000000000400000-0x0000000000435000-memory.dmp

memory/604-203-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2592-259-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1092-356-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1752-369-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2072-392-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1860-405-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1612-420-0x0000000000400000-0x0000000000435000-memory.dmp

memory/960-445-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1496-458-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2740-343-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2104-471-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2736-310-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2316-293-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2192-276-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3040-242-0x0000000000400000-0x0000000000435000-memory.dmp

memory/896-220-0x0000000000400000-0x0000000000435000-memory.dmp

memory/604-208-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3016-190-0x0000000000400000-0x0000000000435000-memory.dmp

memory/812-173-0x0000000000400000-0x0000000000435000-memory.dmp

memory/772-156-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2008-122-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1888-105-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2388-85-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3000-65-0x0000000020010000-0x000000002002C000-memory.dmp

memory/3000-54-0x0000000020010000-0x000000002002C000-memory.dmp

memory/3000-61-0x0000000020010000-0x000000002002C000-memory.dmp

memory/3000-53-0x0000000020010000-0x000000002002C000-memory.dmp

memory/2388-14-0x0000000020010000-0x000000002001C000-memory.dmp

memory/2388-0-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2732-484-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2884-493-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2884-498-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2648-535-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2700-584-0x0000000000400000-0x0000000000435000-memory.dmp

memory/980-633-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2920-642-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2920-647-0x0000000000400000-0x0000000000435000-memory.dmp

memory/864-672-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3064-685-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2864-746-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1356-781-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2252-794-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1916-869-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1720-916-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2372-1073-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2256-1160-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2280-1231-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1040-1280-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2204-1317-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1484-1414-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2272-1463-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2688-1686-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2880-1699-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2668-1714-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2524-1833-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1264-2050-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2424-2075-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2828-2112-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1560-3067-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2A3E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2A9F.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b234b709927748f4966e93bc86a1cd6
SHA1 fb187b8a3a49d217b0796f885d0550b320ddf031
SHA256 114610a935d496a6f0e3a5e062531869577aa95ecaed5973c81f64d8b485e3e5
SHA512 8e5801b85df24941a6c0b9c0c79fe54145ec767a3d740bf6953433c041680638995067b01c6b843bb6a23994af3fc49c86b9ca72ac17e2a746648bf8deb71de9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 568b3d6a7eba6aae55f9a6b44968a521
SHA1 38101d7005c5a7023adca3191db3ce4400b6dd18
SHA256 fbea8c826abb5fbe14d53791a013604fed094a1fb1030c175d71003f8a7b43d9
SHA512 1651069f74a88f6bc82ede8abe84fbc7b140490a007e58741b51feac059483b2b6c0b95596cf0bf9002728c776771d4a6d7133a96cefe0c83d98e0ad71ae121b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a998cd43650b0fbc5b4e7d0a4adf7e73
SHA1 d271c258119eaa3af458449070e4545446383770
SHA256 9680438899cd2634410c38d073bf772a51c939a283937da7b892a87c76b9af37
SHA512 6707284c812e8958dedcaa27f85a6523c4cfdd9539a6024df2e028c070c18959cccf4170ff3ab838bf05c94508399e36892d0cf01bb42859c7ab556712d544a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9eaa7dbfbece7ff53e25846ad0a7719
SHA1 46d3dd4bc5ccfcb04a53415c961f6c7dae165a67
SHA256 d8190e633920a40ec0250138c012e488b910b93bd35e8dcd88b053ea75672681
SHA512 cd5ba7946250b61a77ab1df48477c9483f38f8d2f52185eb81cb584df9a299b6ec265c389e0014c23922812430afebdeb9755ded2f2b9ddde58cf176ee582895

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d46c2af3131461c703e62b615a9ff3d8
SHA1 e6e4128464470717f473ad4123989b6de35fb200
SHA256 f0d66fae48cb78e1ebae4ee6fe934fca1daf7a64932882d28c41feefc365d37f
SHA512 7c65be1fdfe4530198b39e7adbb6ec02d4fa2644b5eeceba5a0d6b66688b2afc0fc80b6376c3cb67b178d04a2c957004b2f6581ba1a9c714636caaa13aa4d988

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49637f6c6bfa09140b94d3f85245b83f
SHA1 5a349d644b1d539e5e7e9aa623ec73dc547f9f6f
SHA256 0e9fb9d09acec09759aeaa14cb29971d84a35eb5bc19a3b0d6b740c3f2282b4d
SHA512 f34264f449078ef50348f68d4beb1dc4cb8da1f8f259c9f4bfc0f1e91b5560071089f2d6178539039948a7d1eca764e1c427a749bcfeb4291962a48e8c007475

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8451877d76ee84d802e52e639e54d676
SHA1 13b3dcbde96c9e162a1505e6bbeba19c82a5da21
SHA256 3d9ff6d21d42649510249f94b74ba90828b073c3326146ae12e8b8d2a55609b8
SHA512 973ccdb6256fdc414664bc469db5e5d68c7f06ead175934a25f635a6f08cce5f4c30e53619da92e008f2a794329ff93ddc2eb2be86876ad38dfe8fbdbec64f52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49d1fcf0af0357deba3dd78a9537e9de
SHA1 a58c3a70076cbe83e6a1aa12b11c09f71f0b1c7a
SHA256 4ab699a213c2493906e5ed00fa8212a631911e89dceff01486bcc63ce60a9dd9
SHA512 44220d76b4f7d53c0066b36e6d6b4c6d75abd72979e1dd41acf5aa2f261017ea66da186993a803590bbb203f24d40047678af07a3e4989be6d0854afdf1f0247

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 947dff551d2e47bde007c51543cc8a84
SHA1 89f0e76708e94e64aff039902afe139dde926c63
SHA256 a98421b2fd2886f93ad8d801bca78a8e7a33ce5df452d62cbea618113413fa51
SHA512 108a9b95bb711f67d3dfb5060858ce2b578a51b65856d7d5bde10ccb1734eacd13cf48a11bb1d2fb5ce868f198b4fa5d96549fe98c1d7c5833ee23e4fb47706c

memory/1560-3519-0x0000000000400000-0x0000000000435000-memory.dmp

memory/680-3538-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3532-3609-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3936-4006-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3908-4175-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1552-4524-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3592-4609-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2412-4826-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3268-4851-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3996-4924-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2132-4937-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1560-5027-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6133961f2a4c1ec8cb2678907dd6bae5
SHA1 d3362e96f6ba88b56072eea9e612a4428a5814e2
SHA256 79251eeb386758385332eaea4355589fd637d84f26f31e8b51e5741e058e0c28
SHA512 a418a2009ae4bd594eedfde24e90a7f30ef3e0064f34893c2f78edf9999358aa1e59d1729b59907459d9ccb690b17903d29ea98223fd8eee667017c65acca81c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fa0d62f93620ba2df034653d83ac9e8
SHA1 89acd83a1c35e614c6f90a2b29aae9f6ee6eca79
SHA256 1200c946c785098f8c9cda3cfa784cba5d37ed1f20c57833409809b5232f3051
SHA512 349268b8d8bd87ba8a9a0315fbfe2fa3dbd4e5c3fcd8c6bd10ad13362d0909b20c14f0872ac7251ec356db144eed7cd76229ed2842c4cd2cac93076870506dfb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec5fa0bb0e318594ffe874683da027c7
SHA1 dedf2aa37f5cc4b4e3a92d97aa981d44b47170c5
SHA256 7f907c38fca685c0ff894edf6d67d074feb0534eb1e02701d227180ddc13459d
SHA512 df606b01094afac430915e77c66baf3a6266fa5a2d0e150e8bcc4230aeca005794b206325558e03bccb93ff77a7f79f547009147d4ec95d37d8791cee999e8c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 25c0024ab29c5577f746cfa1c58c0240
SHA1 36bfad32a463a8e2be4836d700e417955f5365c1
SHA256 e7b9b7b721f793e2cf140ca19e3d7cd893f673118d78f9c724b8fbe7bae0c8df
SHA512 8f6c650969eed553babadf815905f36ffe9891cc7e675741a64185049dfe2ac67c340d52b05445cd3228e1077b1038d8d26fd3326c1f015bdd4382ecd61c8535

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15997fbd0b0367eec30ae14770d5afc2
SHA1 6c5bb464309cd9085c7d06b499a6466c8f55561b
SHA256 78778b292e33eea8cde3208f24d15911a95f1539cac5ff35222170bf3c32fc66
SHA512 2f950fa2aa1051e749e2fa6159f7b36620a3bee3eec858486f55a5155bc1692b457ed30cfd9b630cf1e8ecf87069a49cd2cd25c506057b659f8907cb0d461730

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d1c425199eb6c24330f515e8861002a
SHA1 b41fe1744e6eed811229f2637a97be20c8609124
SHA256 208d4848dd5acb1b30af03c372ecc595ddea0ea7eeea8ebc95b51afc75994089
SHA512 071b02b7ee675dcdfe3100d01cd53521fda771517552c344a072ea96df0b3494c8d4e3bf040ec6729e05df35813443db9c261900f411927129420290a1126ce2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 814129a019ad49125fa71539db063a4c
SHA1 c0ff7be9bea6175caac616161e7eef13e1a4def3
SHA256 feabc38def0e47edfcb90501a726c8376e3dfbf06f7a123fdc8ae736baf9893e
SHA512 6d7f2bbe04f02c23550c8547dd4a00bcc78139b6798aaffbfde97d5618ce0a0f5cd41dd99cdd2dd1e79c47b86f16824bb3e49ade2f32a56ad557e31097db32ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 367805b871df0c72258705a20bbf2262
SHA1 bd057b1d201ef085ccfbc2463bdea7c3d7829af7
SHA256 7087b12965ad17453ce2f88c8453c9fb0e0cd3c85f219b9cd293d52b7f3ae912
SHA512 34109f48a742baf35d81bddb6c4d8561dcfe50eae31631c47361768855054abf7ddc30fc44247ed316d23b5cfa552bdd4bbff6d295f6f03ac3d9bf9533afd9e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae58df2d6b845d0b838e822945bf4e9c
SHA1 664686ab73de3b3abefc1195d4f8c1d2b63f76c1
SHA256 415644c1bf290afc3e07e7890b8d1595541b63a79d88896dc5e73c4693bf05bb
SHA512 f2fd9f9587c0e83c29ddd8241df10d4103aa8515b40c388ba62443f160e2688514bea24935a65ad39c094bb90b488b6b556751b49314a73c0a7049327632a46e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15a88ca81b797e6fd8b2aeeaceca2c7f
SHA1 9e4622f9df0e0c213f957d495a6f27ba5a5db799
SHA256 7ba68d77d0b5d5438dd4a0b50bb0a34059f1212e5a6b46e3365f3329c24690bc
SHA512 d1378a44861e1739ae97496d529f964c0074aec35d2ef14715f9f6b1aee33bf912c6167feb591673a3da49202719ae0503ce5379facdbd8d3d6a1b6cd8421fff

memory/1560-5482-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3340-5494-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3272-5711-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3564-6108-0x0000000000400000-0x0000000000435000-memory.dmp

memory/572-6301-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1560-6403-0x0000000000400000-0x0000000000435000-memory.dmp