Analysis Overview
SHA256
a810d7db2f261f9407731d7122361b3df0e83501a0a2fbd2c32aaac6c651a456
Threat Level: Known bad
The file 108371ef36e513fe10d28555b11f25d5_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Ramnit
UAC bypass
Drops startup file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
UPX packed file
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-03 21:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-03 21:09
Reported
2024-10-03 21:11
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
141s
Command Line
Signatures
Ramnit
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | \??\c:\users\admin\appdata\local\temp\tbwotahm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | \??\c:\users\admin\appdata\local\temp\tbwotahm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\tbwotahm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\tbwotahm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\tbwotahm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3044 set thread context of 1008 | N/A | C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe | \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe |
| PID 3100 set thread context of 1808 | N/A | C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe | \??\c:\users\admin\appdata\local\temp\tbwotahm.exe |
| PID 552 set thread context of 4288 | N/A | C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe | \??\c:\users\admin\appdata\local\temp\tbwotahm.exe |
| PID 1248 set thread context of 2844 | N/A | C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe | \??\c:\users\admin\appdata\local\temp\tbwotahm.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\tbwotahm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\tbwotahm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\tbwotahm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2642545023" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135192" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135192" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BD2F1F2E-81CB-11EF-BFD9-D6586EC96307} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135192" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2444263711" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3400000034000000ba04000099020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2443794884" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434754727" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2443794884" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135192" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2444263711" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff1a0000001a000000a00400007f020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135192" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe | N/A |
| Token: SeSecurityPrivilege | N/A | \??\c:\users\admin\appdata\local\temp\tbwotahm.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\c:\users\admin\appdata\local\temp\tbwotahm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | \??\c:\users\admin\appdata\local\temp\tbwotahm.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\c:\users\admin\appdata\local\temp\tbwotahm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | \??\c:\users\admin\appdata\local\temp\tbwotahm.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\c:\users\admin\appdata\local\temp\tbwotahm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe"
\??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe
"c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3264 -ip 3264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 208
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4552 CREDAT:17410 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2628 -ip 2628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 208
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4552 CREDAT:17416 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe
"C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe" elevate
\??\c:\users\admin\appdata\local\temp\tbwotahm.exe
"c:\users\admin\appdata\local\temp\tbwotahm.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2116 -ip 2116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 204
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4552 CREDAT:17422 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1912 -ip 1912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 204
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4552 CREDAT:17428 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe
"C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe" elevate
\??\c:\users\admin\appdata\local\temp\tbwotahm.exe
"c:\users\admin\appdata\local\temp\tbwotahm.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2776 -ip 2776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 204
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3796 -ip 3796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 208
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4552 CREDAT:17438 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe
"C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe" elevate
\??\c:\users\admin\appdata\local\temp\tbwotahm.exe
"c:\users\admin\appdata\local\temp\tbwotahm.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2552 -ip 2552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 204
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4936 -ip 4936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 216
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
Files
memory/1008-0-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1008-2-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1008-4-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1008-7-0x0000000000560000-0x0000000000561000-memory.dmp
memory/1008-6-0x0000000000550000-0x0000000000551000-memory.dmp
memory/1008-8-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3264-11-0x0000000000180000-0x0000000000181000-memory.dmp
memory/3264-10-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/1008-12-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1008-13-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1008-14-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1008-17-0x0000000077D42000-0x0000000077D43000-memory.dmp
memory/1008-19-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1008-20-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1008-21-0x0000000077D42000-0x0000000077D43000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tbwotahm.exe
| MD5 | 108371ef36e513fe10d28555b11f25d5 |
| SHA1 | 989275215b0497d1d5eb16d34548183bffb3f333 |
| SHA256 | a810d7db2f261f9407731d7122361b3df0e83501a0a2fbd2c32aaac6c651a456 |
| SHA512 | 82385b6e26c9e650b5da73841927505b338d0312278ac438c084f0542afaac4fc9207cdb41f2b0dc1cc2fc896fe06385187d170554c0ebd142452d5987618538 |
memory/1808-40-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1808-39-0x0000000020010000-0x000000002001C000-memory.dmp
memory/1808-38-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1808-37-0x00000000004E0000-0x00000000004E1000-memory.dmp
memory/1808-36-0x00000000004D0000-0x00000000004D1000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 6de4427d02d49cee2c46a8fead1fafa8 |
| SHA1 | bee49bf0e4452ca72442face8e655bf4a8c3af17 |
| SHA256 | 46d5cd7ff558e5c788807eb674587359c6a660cef091eb420676977e49833d53 |
| SHA512 | c80311bb92f9f49de96d06e9a76a3ef0310365999f00f401fd003d438b66744a88f093b5887e1723c6b8179798697ec24c4b2bda489323337f6cec6d28ef6434 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 1b9a640c68fa6d04de6d74ceb4f07f3f |
| SHA1 | c92ae9ba07e8b0366800284ff7b9aaf332559b31 |
| SHA256 | bbbce8e618ed89eeb136477cad3d711b66358de50ef03ffbe069593a219357ed |
| SHA512 | 612346ba0801823f84e62eea384acbef4c41d58d367112c1f24f53ac97c587e615c43b2150a696a7207e434d053cffc58f1f0899c9d93ac6ae35e08bdbb9c0ea |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver6184.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
memory/1808-54-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1808-55-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1808-56-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1808-60-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
memory/1808-71-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4288-80-0x0000000000670000-0x0000000000671000-memory.dmp
memory/4288-84-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4288-85-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4288-89-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4288-92-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4288-94-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2844-101-0x00000000007B0000-0x00000000007B1000-memory.dmp
memory/2844-100-0x00000000007A0000-0x00000000007A1000-memory.dmp
memory/2844-105-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2844-106-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2844-110-0x0000000000400000-0x0000000000435000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-03 21:09
Reported
2024-10-03 21:11
Platform
win7-20240903-en
Max time kernel
150s
Max time network
138s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\vwfrhnot\\edwdfdud.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
Ramnit
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edwdfdud.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edwdfdud.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\EdwDfdud = "C:\\Users\\Admin\\AppData\\Local\\vwfrhnot\\edwdfdud.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\vircwswq.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434151644" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CC243D71-81CB-11EF-9A35-EAF933E40231} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\108371ef36e513fe10d28555b11f25d5_JaffaCakes118.exe"
\??\c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe
"c:\users\admin\appdata\local\temp\108371ef36e513fe10d28555b11f25d5_jaffacakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275472 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\qtmapair.exe
"C:\Users\Admin\AppData\Local\Temp\qtmapair.exe" elevate
\??\c:\users\admin\appdata\local\temp\qtmapair.exe
"c:\users\admin\appdata\local\temp\qtmapair.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275479 /prefetch:2
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:209960 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\qtmapair.exe
"C:\Users\Admin\AppData\Local\Temp\qtmapair.exe" elevate
\??\c:\users\admin\appdata\local\temp\qtmapair.exe
"c:\users\admin\appdata\local\temp\qtmapair.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Users\Admin\AppData\Local\Temp\vircwswq.exe
"C:\Users\Admin\AppData\Local\Temp\vircwswq.exe" elevate
\??\c:\users\admin\appdata\local\temp\vircwswq.exe
"c:\users\admin\appdata\local\temp\vircwswq.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | yahwvfbingmhmaf.com | udp |
| US | 8.8.8.8:53 | yummcxgbkyknsbvrui.com | udp |
| US | 8.8.8.8:53 | kpmqqttppsmtn.com | udp |
| US | 8.8.8.8:53 | vktkpkqmlufmqwvvu.com | udp |
| US | 8.8.8.8:53 | yyjiujeygdpkippa.com | udp |
| US | 8.8.8.8:53 | kfbavaqqwrnjlmkrl.com | udp |
| US | 8.8.8.8:53 | urktyyncfbxsk.com | udp |
| US | 8.8.8.8:53 | jusfrtysjbveoqfam.com | udp |
| US | 8.8.8.8:53 | vfdykmselcv.com | udp |
| US | 8.8.8.8:53 | nhlbmffxvyqnebg.com | udp |
| GB | 172.217.16.238:80 | google.com | tcp |
| DE | 46.165.254.195:443 | yyjiujeygdpkippa.com | tcp |
| DE | 46.165.254.195:443 | yyjiujeygdpkippa.com | tcp |
| DE | 195.201.179.207:443 | kfbavaqqwrnjlmkrl.com | tcp |
| IE | 34.253.216.9:443 | vfdykmselcv.com | tcp |
| DE | 178.162.217.107:443 | jusfrtysjbveoqfam.com | tcp |
| US | 8.8.8.8:53 | pjlpwukiqfqyawojk.com | udp |
| US | 8.8.8.8:53 | dxlihjvfnaw.com | udp |
| US | 8.8.8.8:53 | yplrvvgnusnhhc.com | udp |
| US | 8.8.8.8:53 | wyewxtkaaisyp.com | udp |
| US | 8.8.8.8:53 | lujboicrni.com | udp |
| US | 8.8.8.8:53 | cmsokheuh.com | udp |
| US | 8.8.8.8:53 | yasjobmootbenii.com | udp |
| US | 8.8.8.8:53 | excbifohvjwycxpsme.com | udp |
| US | 8.8.8.8:53 | tpireedi.com | udp |
| RU | 82.112.184.197:443 | excbifohvjwycxpsme.com | tcp |
| US | 8.8.8.8:53 | pyrtviuhjofkbbc.com | udp |
| US | 8.8.8.8:53 | jngorreo.com | udp |
| US | 8.8.8.8:53 | wrwbnyjkf.com | udp |
| US | 8.8.8.8:53 | qjfntaopkoipxeq.com | udp |
| US | 8.8.8.8:53 | igknltsa.com | udp |
| US | 8.8.8.8:53 | ejkcuvcajudj.com | udp |
| US | 8.8.8.8:53 | dajjnyedlupjcm.com | udp |
| US | 8.8.8.8:53 | ijmsuhmsljxbtotr.com | udp |
| US | 8.8.8.8:53 | sejrwuivxhqlsafqes.com | udp |
| US | 8.8.8.8:53 | fvvkggqgtfjjyce.com | udp |
| US | 8.8.8.8:53 | ggbvbefqftds.com | udp |
| US | 8.8.8.8:53 | acwyccsiwldmqlpwku.com | udp |
| US | 8.8.8.8:53 | ebhvtigpnlnm.com | udp |
| US | 8.8.8.8:53 | oqlbduxbnlbi.com | udp |
| US | 8.8.8.8:53 | uwcjvetjdp.com | udp |
| US | 8.8.8.8:53 | qhemtiukkv.com | udp |
| US | 8.8.8.8:53 | wfxvtedkwrqcmldako.com | udp |
| US | 8.8.8.8:53 | afbgrxqgaayynvgfaw.com | udp |
| US | 8.8.8.8:53 | qhfuucaspsnwouayf.com | udp |
| US | 8.8.8.8:53 | nwoxnxptevxlepfuxw.com | udp |
| US | 8.8.8.8:53 | akkyqdecjnghqtc.com | udp |
| US | 8.8.8.8:53 | slokdrashvktbvgdduh.com | udp |
| US | 8.8.8.8:53 | nsvwcqyruivqvla.com | udp |
| US | 8.8.8.8:53 | lpfrdruuqxswhkyak.com | udp |
| US | 8.8.8.8:53 | pqasjtvushsjhiqqxa.com | udp |
| US | 8.8.8.8:53 | rmludvia.com | udp |
| US | 8.8.8.8:53 | lkmlcore.com | udp |
| US | 8.8.8.8:53 | periaolu.com | udp |
| US | 8.8.8.8:53 | gwqpxiwlgu.com | udp |
| US | 8.8.8.8:53 | nrsaxnxgpkmnxgf.com | udp |
| US | 8.8.8.8:53 | wxflbhlaxhkqddbb.com | udp |
| US | 8.8.8.8:53 | wyquenvsl.com | udp |
| US | 8.8.8.8:53 | jmlfkfusyhombk.com | udp |
| US | 8.8.8.8:53 | pyaplyjydi.com | udp |
| US | 8.8.8.8:53 | awfwufymolkitdqhwut.com | udp |
| US | 8.8.8.8:53 | kffbswugxk.com | udp |
| US | 8.8.8.8:53 | xbgevmjuqya.com | udp |
| US | 8.8.8.8:53 | erxjeltuqcnbtkubh.com | udp |
| US | 8.8.8.8:53 | libfmnmmkbi.com | udp |
| US | 8.8.8.8:53 | lcudlnkpyoj.com | udp |
| US | 8.8.8.8:53 | rgmraioiqm.com | udp |
| US | 8.8.8.8:53 | ecemuammark.com | udp |
| US | 8.8.8.8:53 | lkybqhbanxcjsidn.com | udp |
| US | 8.8.8.8:53 | kfhmrffoechqgryajnc.com | udp |
| US | 8.8.8.8:53 | nhkyqeetxoqsstgj.com | udp |
| US | 8.8.8.8:53 | ccbbxwkuamaths.com | udp |
| US | 8.8.8.8:53 | fihjtnbejrshvu.com | udp |
| US | 8.8.8.8:53 | akytoytwdfkdc.com | udp |
| US | 8.8.8.8:53 | tjgptxuxtl.com | udp |
| US | 8.8.8.8:53 | gaxnfsewuuudy.com | udp |
| US | 8.8.8.8:53 | gjreursykbm.com | udp |
| US | 8.8.8.8:53 | vxdmtreb.com | udp |
| US | 8.8.8.8:53 | eyrkkcefrc.com | udp |
| US | 8.8.8.8:53 | oaqlhqawysnxacmsbow.com | udp |
| US | 8.8.8.8:53 | hpfljqaweoyiamrcpw.com | udp |
| US | 8.8.8.8:53 | egerktqrrh.com | udp |
| US | 8.8.8.8:53 | llscuekpjpibv.com | udp |
| US | 8.8.8.8:53 | ljntibhc.com | udp |
| US | 8.8.8.8:53 | xomedjxmdgppqjgdjaa.com | udp |
| US | 8.8.8.8:53 | rdnxytcgq.com | udp |
| US | 8.8.8.8:53 | lmofnmhrafvw.com | udp |
| US | 8.8.8.8:53 | xtyjvyrxfcm.com | udp |
| US | 8.8.8.8:53 | ycvhvcqpfwsngccpcnm.com | udp |
| US | 8.8.8.8:53 | leoemsaugiasvirt.com | udp |
| US | 8.8.8.8:53 | gpeixwsyshd.com | udp |
| US | 8.8.8.8:53 | yhfgcbufisdxornck.com | udp |
| US | 8.8.8.8:53 | mcbexsgmjobninfjna.com | udp |
| US | 8.8.8.8:53 | hbenmgoskqcmbrkf.com | udp |
| US | 8.8.8.8:53 | ghjvrkhocmbfjvgkt.com | udp |
| US | 8.8.8.8:53 | ppvmqebx.com | udp |
| US | 8.8.8.8:53 | pcusjfpntuw.com | udp |
| US | 8.8.8.8:53 | scwpgkmmallisjkkag.com | udp |
| US | 8.8.8.8:53 | pysruicoxlmtgogfiwl.com | udp |
| US | 8.8.8.8:53 | rvgilfotdlfglh.com | udp |
| US | 8.8.8.8:53 | sfpeecvovnj.com | udp |
| US | 8.8.8.8:53 | ewvndtvrthoadpitts.com | udp |
| US | 8.8.8.8:53 | armdpidvchlgpyqgc.com | udp |
| US | 8.8.8.8:53 | vwnaoeynisd.com | udp |
| US | 8.8.8.8:53 | adglsupfbrn.com | udp |
| US | 8.8.8.8:53 | ytltnslmp.com | udp |
| US | 8.8.8.8:53 | kamytdpo.com | udp |
| US | 8.8.8.8:53 | pomqkprloee.com | udp |
| US | 8.8.8.8:53 | cfwiahnybdlnh.com | udp |
| US | 8.8.8.8:53 | fxfkecoxwwqkqbbhcqi.com | udp |
| US | 8.8.8.8:53 | oiugelaivjpmd.com | udp |
| US | 8.8.8.8:53 | veoarleqgifcugyi.com | udp |
| US | 8.8.8.8:53 | dcigpnabdthwwddg.com | udp |
| US | 8.8.8.8:53 | ybtxwqagmkdlureo.com | udp |
| US | 8.8.8.8:53 | etfugwehy.com | udp |
| US | 8.8.8.8:53 | mxqayqte.com | udp |
| US | 8.8.8.8:53 | dqcfdagyhgk.com | udp |
| US | 8.8.8.8:53 | xplcxhseyefbfofcxqi.com | udp |
| US | 8.8.8.8:53 | ocejioseopnyhh.com | udp |
| US | 8.8.8.8:53 | bcxmfbhdfxhvxdsdx.com | udp |
| US | 8.8.8.8:53 | nnfjvhymbtivx.com | udp |
| US | 8.8.8.8:53 | fcgejxldqypasmlav.com | udp |
| US | 8.8.8.8:53 | rdluchxfvejhhfrtkld.com | udp |
| US | 8.8.8.8:53 | suxlnkadqwqavihf.com | udp |
| US | 8.8.8.8:53 | wbylawgnume.com | udp |
| US | 8.8.8.8:53 | mxjmrsce.com | udp |
| US | 8.8.8.8:53 | ovjdjowwfiejsv.com | udp |
| US | 8.8.8.8:53 | llerggqhwlicvekr.com | udp |
| US | 8.8.8.8:53 | plhwarkytmmockwbjeb.com | udp |
| US | 8.8.8.8:53 | fvgotugnkdgr.com | udp |
| US | 8.8.8.8:53 | tnmgwclsulchxwefk.com | udp |
| US | 8.8.8.8:53 | grrfusycbutgcdfnsuv.com | udp |
| US | 8.8.8.8:53 | rjtacprqemcrhwg.com | udp |
| US | 8.8.8.8:53 | jnqknbdjkcu.com | udp |
| US | 8.8.8.8:53 | uelmqkkjhynkscodc.com | udp |
| US | 8.8.8.8:53 | bkecrywrasvbillu.com | udp |
| US | 8.8.8.8:53 | qdrudkrc.com | udp |
| US | 8.8.8.8:53 | uiapugfe.com | udp |
| US | 8.8.8.8:53 | ofheubnonpg.com | udp |
| US | 8.8.8.8:53 | hxleirremopog.com | udp |
| US | 8.8.8.8:53 | hawfbmpvawyb.com | udp |
| US | 8.8.8.8:53 | ufonanyrlfp.com | udp |
| US | 8.8.8.8:53 | xbopodbuqykdseh.com | udp |
| US | 8.8.8.8:53 | jwfosebwnkmry.com | udp |
| US | 8.8.8.8:53 | jukwtxdhybypevngin.com | udp |
| US | 8.8.8.8:53 | quqmnejqwtdeqvlwb.com | udp |
| US | 8.8.8.8:53 | vaywiscedyxygrrvqi.com | udp |
| US | 8.8.8.8:53 | wubgyufncyfufyelf.com | udp |
| US | 8.8.8.8:53 | fhlifjixtfb.com | udp |
| US | 8.8.8.8:53 | tjbwbuoiklfubewlnd.com | udp |
| US | 8.8.8.8:53 | bdwmhihxty.com | udp |
| US | 8.8.8.8:53 | wigwdjpfb.com | udp |
| US | 8.8.8.8:53 | xfeilynams.com | udp |
| US | 8.8.8.8:53 | wlgywycen.com | udp |
| US | 8.8.8.8:53 | vyxhnejpetmn.com | udp |
| US | 8.8.8.8:53 | wikuemkpdnwtucshvk.com | udp |
| US | 8.8.8.8:53 | kauekfvsf.com | udp |
| US | 8.8.8.8:53 | jiyrwudoyejk.com | udp |
| US | 8.8.8.8:53 | niyausoqe.com | udp |
| US | 8.8.8.8:53 | cyanwmfcnstduhribs.com | udp |
| US | 8.8.8.8:53 | bybrejuyorgwoa.com | udp |
| US | 8.8.8.8:53 | nakmsjtcto.com | udp |
| US | 8.8.8.8:53 | dqrjixyvbssx.com | udp |
| US | 8.8.8.8:53 | teulpipytesuoxsykc.com | udp |
| US | 8.8.8.8:53 | kffwygqbtpdh.com | udp |
| US | 8.8.8.8:53 | nneuuppagyuybj.com | udp |
| US | 8.8.8.8:53 | mhwalylagjuopwv.com | udp |
| US | 8.8.8.8:53 | epigxtiannc.com | udp |
| US | 8.8.8.8:53 | ttfxwmakjxmhm.com | udp |
| US | 8.8.8.8:53 | wjcfllgi.com | udp |
| US | 8.8.8.8:53 | cbdtgbrybqehdhy.com | udp |
| US | 8.8.8.8:53 | myhbdthckcdfhgci.com | udp |
| US | 8.8.8.8:53 | oiymosdjxwpamce.com | udp |
| US | 8.8.8.8:53 | mlflokkkspswyfnfbc.com | udp |
| US | 8.8.8.8:53 | thbihlxurob.com | udp |
| US | 8.8.8.8:53 | qheiqcyxrqv.com | udp |
| US | 8.8.8.8:53 | cpcogmsdwgbtiuqclsm.com | udp |
| US | 8.8.8.8:53 | qjisnelmcjtg.com | udp |
| US | 8.8.8.8:53 | cbcpyghktahyrwr.com | udp |
| US | 8.8.8.8:53 | bsnuypumhfybnugcd.com | udp |
| US | 8.8.8.8:53 | dkxmsbjiejuo.com | udp |
| US | 8.8.8.8:53 | vcfgpasvqbwornhao.com | udp |
| US | 8.8.8.8:53 | gfogxedvjwn.com | udp |
| US | 8.8.8.8:53 | gehrbfqvihbryav.com | udp |
| US | 8.8.8.8:53 | hyqpnvxfaxow.com | udp |
| US | 8.8.8.8:53 | ljebhtoefnttelekfl.com | udp |
| US | 8.8.8.8:53 | nmuhxjywumbhtp.com | udp |
| US | 8.8.8.8:53 | nduktixjnlisu.com | udp |
| US | 8.8.8.8:53 | eklmxfotbaofoloon.com | udp |
| US | 8.8.8.8:53 | vcmkrmpjcheyag.com | udp |
| US | 8.8.8.8:53 | mpnwxwqketycp.com | udp |
| US | 8.8.8.8:53 | jwbknfukacrgpyk.com | udp |
| US | 8.8.8.8:53 | tvqnkxbuncehk.com | udp |
| US | 8.8.8.8:53 | jlkhbdbmdrqipuexn.com | udp |
| US | 8.8.8.8:53 | imgggbjtifnvqna.com | udp |
| US | 8.8.8.8:53 | xyylttlorypluq.com | udp |
| US | 8.8.8.8:53 | ddpifoyenogceql.com | udp |
| US | 8.8.8.8:53 | fjwpmgvdihxupipv.com | udp |
| US | 8.8.8.8:53 | khdtsbkng.com | udp |
| US | 8.8.8.8:53 | xtlctubpuyy.com | udp |
| US | 8.8.8.8:53 | ygdgmmfyk.com | udp |
| US | 8.8.8.8:53 | scdthwrswp.com | udp |
| US | 8.8.8.8:53 | uxpunbkg.com | udp |
| US | 8.8.8.8:53 | nvpwlkrdb.com | udp |
| US | 8.8.8.8:53 | eyyjatakvjcfnvw.com | udp |
| US | 8.8.8.8:53 | djheajwvgodxa.com | udp |
| US | 8.8.8.8:53 | wnrgcbvoadriawdy.com | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.180.14:80 | google.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | api.bing.com | udp |
Files
memory/1052-17-0x0000000000050000-0x0000000000051000-memory.dmp
memory/2388-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1052-25-0x0000000000050000-0x0000000000051000-memory.dmp
memory/1052-24-0x0000000000070000-0x0000000000071000-memory.dmp
memory/2388-10-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2388-9-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2388-8-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2388-6-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2388-3-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2388-2-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2388-13-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2388-12-0x0000000000270000-0x0000000000271000-memory.dmp
memory/1052-30-0x0000000000060000-0x0000000000061000-memory.dmp
memory/1052-26-0x0000000020010000-0x000000002001C000-memory.dmp
memory/2388-23-0x00000000778B0000-0x00000000778B1000-memory.dmp
memory/2388-22-0x00000000778AF000-0x00000000778B0000-memory.dmp
memory/2388-21-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1052-33-0x0000000020010000-0x000000002001C000-memory.dmp
memory/3000-37-0x0000000020010000-0x000000002002C000-memory.dmp
memory/3000-43-0x0000000020010000-0x000000002002C000-memory.dmp
memory/1052-31-0x0000000020010000-0x000000002001C000-memory.dmp
memory/1052-32-0x0000000020010000-0x000000002001C000-memory.dmp
memory/1052-15-0x0000000020010000-0x000000002001C000-memory.dmp
memory/2388-64-0x00000000778B0000-0x00000000778B1000-memory.dmp
memory/2388-63-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3000-57-0x0000000020010000-0x000000002002C000-memory.dmp
memory/3000-73-0x0000000020010000-0x000000002002C000-memory.dmp
\Users\Admin\AppData\Local\Temp\vircwswq.exe
| MD5 | 108371ef36e513fe10d28555b11f25d5 |
| SHA1 | 989275215b0497d1d5eb16d34548183bffb3f333 |
| SHA256 | a810d7db2f261f9407731d7122361b3df0e83501a0a2fbd2c32aaac6c651a456 |
| SHA512 | 82385b6e26c9e650b5da73841927505b338d0312278ac438c084f0542afaac4fc9207cdb41f2b0dc1cc2fc896fe06385187d170554c0ebd142452d5987618538 |
memory/1888-98-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2956-139-0x0000000000400000-0x0000000000435000-memory.dmp
memory/604-203-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2592-259-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1092-356-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1752-369-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2072-392-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1860-405-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1612-420-0x0000000000400000-0x0000000000435000-memory.dmp
memory/960-445-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1496-458-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2740-343-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2104-471-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2736-310-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2316-293-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2192-276-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3040-242-0x0000000000400000-0x0000000000435000-memory.dmp
memory/896-220-0x0000000000400000-0x0000000000435000-memory.dmp
memory/604-208-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3016-190-0x0000000000400000-0x0000000000435000-memory.dmp
memory/812-173-0x0000000000400000-0x0000000000435000-memory.dmp
memory/772-156-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2008-122-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1888-105-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2388-85-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3000-65-0x0000000020010000-0x000000002002C000-memory.dmp
memory/3000-54-0x0000000020010000-0x000000002002C000-memory.dmp
memory/3000-61-0x0000000020010000-0x000000002002C000-memory.dmp
memory/3000-53-0x0000000020010000-0x000000002002C000-memory.dmp
memory/2388-14-0x0000000020010000-0x000000002001C000-memory.dmp
memory/2388-0-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2732-484-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2884-493-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2884-498-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2648-535-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2700-584-0x0000000000400000-0x0000000000435000-memory.dmp
memory/980-633-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2920-642-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2920-647-0x0000000000400000-0x0000000000435000-memory.dmp
memory/864-672-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3064-685-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2864-746-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1356-781-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2252-794-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1916-869-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1720-916-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2372-1073-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2256-1160-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2280-1231-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1040-1280-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2204-1317-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1484-1414-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2272-1463-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2688-1686-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2880-1699-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2668-1714-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2524-1833-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1264-2050-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2424-2075-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2828-2112-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1560-3067-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab2A3E.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar2A9F.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9b234b709927748f4966e93bc86a1cd6 |
| SHA1 | fb187b8a3a49d217b0796f885d0550b320ddf031 |
| SHA256 | 114610a935d496a6f0e3a5e062531869577aa95ecaed5973c81f64d8b485e3e5 |
| SHA512 | 8e5801b85df24941a6c0b9c0c79fe54145ec767a3d740bf6953433c041680638995067b01c6b843bb6a23994af3fc49c86b9ca72ac17e2a746648bf8deb71de9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 568b3d6a7eba6aae55f9a6b44968a521 |
| SHA1 | 38101d7005c5a7023adca3191db3ce4400b6dd18 |
| SHA256 | fbea8c826abb5fbe14d53791a013604fed094a1fb1030c175d71003f8a7b43d9 |
| SHA512 | 1651069f74a88f6bc82ede8abe84fbc7b140490a007e58741b51feac059483b2b6c0b95596cf0bf9002728c776771d4a6d7133a96cefe0c83d98e0ad71ae121b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a998cd43650b0fbc5b4e7d0a4adf7e73 |
| SHA1 | d271c258119eaa3af458449070e4545446383770 |
| SHA256 | 9680438899cd2634410c38d073bf772a51c939a283937da7b892a87c76b9af37 |
| SHA512 | 6707284c812e8958dedcaa27f85a6523c4cfdd9539a6024df2e028c070c18959cccf4170ff3ab838bf05c94508399e36892d0cf01bb42859c7ab556712d544a1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f9eaa7dbfbece7ff53e25846ad0a7719 |
| SHA1 | 46d3dd4bc5ccfcb04a53415c961f6c7dae165a67 |
| SHA256 | d8190e633920a40ec0250138c012e488b910b93bd35e8dcd88b053ea75672681 |
| SHA512 | cd5ba7946250b61a77ab1df48477c9483f38f8d2f52185eb81cb584df9a299b6ec265c389e0014c23922812430afebdeb9755ded2f2b9ddde58cf176ee582895 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d46c2af3131461c703e62b615a9ff3d8 |
| SHA1 | e6e4128464470717f473ad4123989b6de35fb200 |
| SHA256 | f0d66fae48cb78e1ebae4ee6fe934fca1daf7a64932882d28c41feefc365d37f |
| SHA512 | 7c65be1fdfe4530198b39e7adbb6ec02d4fa2644b5eeceba5a0d6b66688b2afc0fc80b6376c3cb67b178d04a2c957004b2f6581ba1a9c714636caaa13aa4d988 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 49637f6c6bfa09140b94d3f85245b83f |
| SHA1 | 5a349d644b1d539e5e7e9aa623ec73dc547f9f6f |
| SHA256 | 0e9fb9d09acec09759aeaa14cb29971d84a35eb5bc19a3b0d6b740c3f2282b4d |
| SHA512 | f34264f449078ef50348f68d4beb1dc4cb8da1f8f259c9f4bfc0f1e91b5560071089f2d6178539039948a7d1eca764e1c427a749bcfeb4291962a48e8c007475 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8451877d76ee84d802e52e639e54d676 |
| SHA1 | 13b3dcbde96c9e162a1505e6bbeba19c82a5da21 |
| SHA256 | 3d9ff6d21d42649510249f94b74ba90828b073c3326146ae12e8b8d2a55609b8 |
| SHA512 | 973ccdb6256fdc414664bc469db5e5d68c7f06ead175934a25f635a6f08cce5f4c30e53619da92e008f2a794329ff93ddc2eb2be86876ad38dfe8fbdbec64f52 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 49d1fcf0af0357deba3dd78a9537e9de |
| SHA1 | a58c3a70076cbe83e6a1aa12b11c09f71f0b1c7a |
| SHA256 | 4ab699a213c2493906e5ed00fa8212a631911e89dceff01486bcc63ce60a9dd9 |
| SHA512 | 44220d76b4f7d53c0066b36e6d6b4c6d75abd72979e1dd41acf5aa2f261017ea66da186993a803590bbb203f24d40047678af07a3e4989be6d0854afdf1f0247 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 947dff551d2e47bde007c51543cc8a84 |
| SHA1 | 89f0e76708e94e64aff039902afe139dde926c63 |
| SHA256 | a98421b2fd2886f93ad8d801bca78a8e7a33ce5df452d62cbea618113413fa51 |
| SHA512 | 108a9b95bb711f67d3dfb5060858ce2b578a51b65856d7d5bde10ccb1734eacd13cf48a11bb1d2fb5ce868f198b4fa5d96549fe98c1d7c5833ee23e4fb47706c |
memory/1560-3519-0x0000000000400000-0x0000000000435000-memory.dmp
memory/680-3538-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3532-3609-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3936-4006-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3908-4175-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1552-4524-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3592-4609-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2412-4826-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3268-4851-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3996-4924-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2132-4937-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1560-5027-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6133961f2a4c1ec8cb2678907dd6bae5 |
| SHA1 | d3362e96f6ba88b56072eea9e612a4428a5814e2 |
| SHA256 | 79251eeb386758385332eaea4355589fd637d84f26f31e8b51e5741e058e0c28 |
| SHA512 | a418a2009ae4bd594eedfde24e90a7f30ef3e0064f34893c2f78edf9999358aa1e59d1729b59907459d9ccb690b17903d29ea98223fd8eee667017c65acca81c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8fa0d62f93620ba2df034653d83ac9e8 |
| SHA1 | 89acd83a1c35e614c6f90a2b29aae9f6ee6eca79 |
| SHA256 | 1200c946c785098f8c9cda3cfa784cba5d37ed1f20c57833409809b5232f3051 |
| SHA512 | 349268b8d8bd87ba8a9a0315fbfe2fa3dbd4e5c3fcd8c6bd10ad13362d0909b20c14f0872ac7251ec356db144eed7cd76229ed2842c4cd2cac93076870506dfb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ec5fa0bb0e318594ffe874683da027c7 |
| SHA1 | dedf2aa37f5cc4b4e3a92d97aa981d44b47170c5 |
| SHA256 | 7f907c38fca685c0ff894edf6d67d074feb0534eb1e02701d227180ddc13459d |
| SHA512 | df606b01094afac430915e77c66baf3a6266fa5a2d0e150e8bcc4230aeca005794b206325558e03bccb93ff77a7f79f547009147d4ec95d37d8791cee999e8c5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 25c0024ab29c5577f746cfa1c58c0240 |
| SHA1 | 36bfad32a463a8e2be4836d700e417955f5365c1 |
| SHA256 | e7b9b7b721f793e2cf140ca19e3d7cd893f673118d78f9c724b8fbe7bae0c8df |
| SHA512 | 8f6c650969eed553babadf815905f36ffe9891cc7e675741a64185049dfe2ac67c340d52b05445cd3228e1077b1038d8d26fd3326c1f015bdd4382ecd61c8535 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 15997fbd0b0367eec30ae14770d5afc2 |
| SHA1 | 6c5bb464309cd9085c7d06b499a6466c8f55561b |
| SHA256 | 78778b292e33eea8cde3208f24d15911a95f1539cac5ff35222170bf3c32fc66 |
| SHA512 | 2f950fa2aa1051e749e2fa6159f7b36620a3bee3eec858486f55a5155bc1692b457ed30cfd9b630cf1e8ecf87069a49cd2cd25c506057b659f8907cb0d461730 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3d1c425199eb6c24330f515e8861002a |
| SHA1 | b41fe1744e6eed811229f2637a97be20c8609124 |
| SHA256 | 208d4848dd5acb1b30af03c372ecc595ddea0ea7eeea8ebc95b51afc75994089 |
| SHA512 | 071b02b7ee675dcdfe3100d01cd53521fda771517552c344a072ea96df0b3494c8d4e3bf040ec6729e05df35813443db9c261900f411927129420290a1126ce2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 814129a019ad49125fa71539db063a4c |
| SHA1 | c0ff7be9bea6175caac616161e7eef13e1a4def3 |
| SHA256 | feabc38def0e47edfcb90501a726c8376e3dfbf06f7a123fdc8ae736baf9893e |
| SHA512 | 6d7f2bbe04f02c23550c8547dd4a00bcc78139b6798aaffbfde97d5618ce0a0f5cd41dd99cdd2dd1e79c47b86f16824bb3e49ade2f32a56ad557e31097db32ac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 367805b871df0c72258705a20bbf2262 |
| SHA1 | bd057b1d201ef085ccfbc2463bdea7c3d7829af7 |
| SHA256 | 7087b12965ad17453ce2f88c8453c9fb0e0cd3c85f219b9cd293d52b7f3ae912 |
| SHA512 | 34109f48a742baf35d81bddb6c4d8561dcfe50eae31631c47361768855054abf7ddc30fc44247ed316d23b5cfa552bdd4bbff6d295f6f03ac3d9bf9533afd9e9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ae58df2d6b845d0b838e822945bf4e9c |
| SHA1 | 664686ab73de3b3abefc1195d4f8c1d2b63f76c1 |
| SHA256 | 415644c1bf290afc3e07e7890b8d1595541b63a79d88896dc5e73c4693bf05bb |
| SHA512 | f2fd9f9587c0e83c29ddd8241df10d4103aa8515b40c388ba62443f160e2688514bea24935a65ad39c094bb90b488b6b556751b49314a73c0a7049327632a46e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 15a88ca81b797e6fd8b2aeeaceca2c7f |
| SHA1 | 9e4622f9df0e0c213f957d495a6f27ba5a5db799 |
| SHA256 | 7ba68d77d0b5d5438dd4a0b50bb0a34059f1212e5a6b46e3365f3329c24690bc |
| SHA512 | d1378a44861e1739ae97496d529f964c0074aec35d2ef14715f9f6b1aee33bf912c6167feb591673a3da49202719ae0503ce5379facdbd8d3d6a1b6cd8421fff |
memory/1560-5482-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3340-5494-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3272-5711-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3564-6108-0x0000000000400000-0x0000000000435000-memory.dmp
memory/572-6301-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1560-6403-0x0000000000400000-0x0000000000435000-memory.dmp