Malware Analysis Report

2025-05-05 21:43

Sample ID 250421-bp4cca1kw6
Target CryptoLocker.exe
SHA256 d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
Tags
cryptolocker defense_evasion discovery execution impact persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

Threat Level: Known bad

The file CryptoLocker.exe was found to be: Known bad.

Malicious Activity Summary

cryptolocker defense_evasion discovery execution impact persistence ransomware

CryptoLocker

Cryptolocker family

Deletes shadow copies

Downloads MZ/PE file

Deletes itself

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Subvert Trust Controls: Mark-of-the-Web Bypass

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

NTFS ADS

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Enumerates system info in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-21 01:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-21 01:20

Reported

2025-04-21 01:25

Platform

win10ltsc2021-20250410-en

Max time kernel

310s

Max time network

312s

Command Line

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

Signatures

CryptoLocker

ransomware cryptolocker

Cryptolocker family

cryptolocker

Deletes shadow copies

ransomware defense_evasion impact execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\AdwereCleaner.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto" C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1672 set thread context of 5340 N/A C:\Users\Admin\Downloads\satan.exe C:\Users\Admin\Downloads\satan.exe
PID 5672 set thread context of 4964 N/A C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File created C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\satan.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\AdwereCleaner.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\satan.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\AdwereCleaner.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WinNuke.98.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\satan.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4260291853-3905407524-539084913-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\Walker.com:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\satan.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\AdwereCleaner.exe:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\Melissa.doc:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\Downloads\satan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 1876 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 1876 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 404 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 404 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 404 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 1612 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 1612 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 1612 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 5256 wrote to memory of 4156 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5256 wrote to memory of 4156 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5256 wrote to memory of 4156 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5256 wrote to memory of 4156 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5256 wrote to memory of 4156 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5256 wrote to memory of 4156 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5256 wrote to memory of 4156 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5256 wrote to memory of 4156 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5256 wrote to memory of 4156 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5256 wrote to memory of 4156 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5256 wrote to memory of 4156 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4156 wrote to memory of 3820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe

"C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000240

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1980 -prefsLen 27100 -prefMapHandle 1984 -prefMapSize 270279 -ipcHandle 2072 -initialChannelId {efc6e0a9-3909-4f6b-8df9-60c795d607c7} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2436 -prefsLen 27136 -prefMapHandle 2440 -prefMapSize 270279 -ipcHandle 2444 -initialChannelId {a2b182f7-5d2a-44e2-abc4-0f1eb75c550b} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3972 -prefsLen 27277 -prefMapHandle 3976 -prefMapSize 270279 -jsInitHandle 3980 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3984 -initialChannelId {5ef19e33-d59a-41c1-9fe7-a6701bb2b133} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4132 -prefsLen 27277 -prefMapHandle 4136 -prefMapSize 270279 -ipcHandle 4152 -initialChannelId {065f1a51-90d1-47a4-a61d-5305c7d47408} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3256 -prefsLen 34776 -prefMapHandle 2948 -prefMapSize 270279 -jsInitHandle 1628 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4492 -initialChannelId {40dc5a20-e4bf-47ea-80ec-1ce458352560} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 3144 -prefsLen 35013 -prefMapHandle 3148 -prefMapSize 270279 -ipcHandle 3132 -initialChannelId {6786ffd1-a589-4608-adaa-8eb489bd2e7d} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5312 -prefsLen 32900 -prefMapHandle 5316 -prefMapSize 270279 -jsInitHandle 5320 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5328 -initialChannelId {ee938bcc-a075-4368-9806-753544bfd69e} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5460 -prefsLen 32952 -prefMapHandle 5352 -prefMapSize 270279 -jsInitHandle 5520 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5528 -initialChannelId {4261ce28-31e4-40b9-b302-4da78718ea6e} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5704 -prefsLen 32952 -prefMapHandle 5708 -prefMapSize 270279 -jsInitHandle 5712 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5724 -initialChannelId {afa4edb6-e919-477f-8903-04862336ac44} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6472 -prefsLen 33071 -prefMapHandle 6412 -prefMapSize 270279 -jsInitHandle 6248 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3820 -initialChannelId {b42d314a-fed6-4992-9de8-54d959e8013f} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6816 -prefsLen 36543 -prefMapHandle 6804 -prefMapSize 270279 -jsInitHandle 6820 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6828 -initialChannelId {ad562d3a-73c3-45c0-8bd0-c76272de8d3f} -parentPid 4156 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4156" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab

C:\Users\Admin\Downloads\AdwereCleaner.exe

"C:\Users\Admin\Downloads\AdwereCleaner.exe"

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\6AdwCleaner.exe" -auto

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

C:\Users\Admin\AppData\Local\6AdwCleaner.exe -auto

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\4696bde7c2634a31a43935c5460b53d4 /t 4204 /p 4236

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Melissa.doc" /o ""

C:\Users\Admin\Downloads\WinNuke.98.exe

"C:\Users\Admin\Downloads\WinNuke.98.exe"

C:\Users\Admin\Downloads\satan.exe

"C:\Users\Admin\Downloads\satan.exe"

C:\Users\Admin\Downloads\satan.exe

"C:\Users\Admin\Downloads\satan.exe"

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

"C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_a1977cde.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

"C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe"

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

Network

Country Destination Domain Proto
US 184.164.136.134:80 tcp
N/A 127.0.0.1:49788 tcp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 51.140.242.104:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49801 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 merino.services.mozilla.com udp
US 8.8.8.8:53 mc.prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 mc.prod.ads.prod.webservices.mozgcp.net udp
US 34.110.138.217:443 merino.services.mozilla.com udp
US 8.8.8.8:53 merino.services.mozilla.com udp
US 34.110.138.217:443 merino.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 merino.services.mozilla.com udp
US 8.8.8.8:53 example.org udp
US 8.8.8.8:53 ipv4only.arpa udp
US 34.107.221.82:80 detectportal.firefox.com tcp
US 8.8.8.8:53 prod.detectportal.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.detectportal.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.153.106:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.153.106:443 www.google.com udp
US 8.8.8.8:53 mtdmmtjjiuqbkji.info udp
US 8.8.8.8:53 averslylrvbhkfq.com udp
US 8.8.8.8:53 opnnrevvbvoodbq.net udp
US 8.8.8.8:53 crosxvlxkwyumkq.biz udp
US 8.8.8.8:53 sfgueafmtrqfhfm.ru udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 tshfvrstdivpysq.org udp
US 8.8.8.8:53 ubqvjkrymsoshbd.co.uk udp
US 8.8.8.8:53 vorgbcfgvjtdifp.info udp
US 8.8.8.8:53 uplqqfprqkphsjq.com udp
US 8.8.8.8:53 vdmbiwdyaburkpq.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 archive.mozilla.org udp
US 151.101.67.19:443 archive.mozilla.org tcp
US 8.8.8.8:53 mozilla-download.fastly-edge.com udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 mozilla-download.fastly-edge.com udp
US 34.104.35.123:443 edgedl.me.gvt1.com tcp
BR 2.20.139.134:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 wlvrvpcejlnulmq.biz udp
US 8.8.8.8:53 xywcnhplscsfmjy.ru udp
US 8.8.8.8:53 tgwhajakavmjpup.org udp
US 8.8.8.8:53 hkrgaegerjpdyvo.co.uk udp
US 8.8.8.8:53 ubupbafwtarbrqn.info udp
US 8.8.8.8:53 ifpobulqlnuureu.com udp
US 8.8.8.8:53 xwcffcybokmdtyy.net udp
US 8.8.8.8:53 lbwefwfugxpwdhc.biz udp
US 8.8.8.8:53 yrangseniorudnn.ru udp
US 8.8.8.8:53 mvumgnkhacuodiy.org udp
US 8.8.8.8:53 xpfpqtjhutwdxgp.co.uk udp
US 8.8.8.8:53 yfacbongmcesyuw.info udp
US 8.8.8.8:53 ykdxrkotoxcuaqv.com udp
US 8.8.8.8:53 aaxkcfssggjkrou.net udp
US 8.8.8.8:53 cgknvmixjiwwqqr.biz udp
US 8.8.8.8:53 dvfaghmwbqemrmd.ru udp
US 8.8.8.8:53 dbivwdnkdmcoato.org udp
US 8.8.8.8:53 eqdihxrjuujeryr.co.uk udp
US 8.8.8.8:53 ekwxragglwpxoak.info udp
US 8.8.8.8:53 csp.withgoogle.com udp
US 8.8.8.8:53 csp.withgoogle.com udp
DE 172.217.16.81:443 csp.withgoogle.com tcp
US 8.8.8.8:53 csp.withgoogle.com udp
US 8.8.8.8:53 ogads-pa.clients6.google.com udp
NL 173.194.69.95:443 ogads-pa.clients6.google.com tcp
NL 173.194.69.95:443 ogads-pa.clients6.google.com tcp
US 8.8.8.8:53 ogads-pa.clients6.google.com udp
DE 172.217.16.81:443 csp.withgoogle.com udp
US 8.8.8.8:53 ogads-pa.clients6.google.com udp
NL 173.194.69.95:443 ogads-pa.clients6.google.com udp
US 8.8.8.8:53 rorwrrvtcqonohk.com udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.31.101:443 play.google.com tcp
NL 142.251.31.101:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.31.101:443 play.google.com udp
US 8.8.8.8:53 gcuuvqlfhjouhqy.net udp
US 8.8.8.8:53 tgptvibsxdnkqoh.biz udp
US 8.8.8.8:53 consent.google.com udp
NL 172.217.218.138:443 consent.google.com tcp
US 8.8.8.8:53 consent.google.com udp
US 8.8.8.8:53 consent.google.com udp
NL 172.217.218.138:443 consent.google.com udp
US 8.8.8.8:53 ibcvwsfwalprsbk.ru udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 vfwuwkukqfohspo.org udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 s3-w.us-east-1.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 s3-w.us-east-1.amazonaws.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 8.8.8.8:53 ksasbjkvvxoosqi.co.uk udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.113.21:443 collector.github.com tcp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 xwurbbajmrnecvu.info udp
US 8.8.8.8:53 itfgikpoguvnayw.com udp
US 8.8.8.8:53 jjasscdkwjhhrtf.net udp
US 8.8.8.8:53 c.pki.goog udp
NL 173.194.69.94:80 c.pki.goog tcp
US 8.8.8.8:53 klddmbunchukset.biz udp
US 8.8.8.8:53 lbxpwsijsvgetmt.ru udp
US 8.8.8.8:53 mkkendofujvhsgp.org udp
US 8.8.8.8:53 nafqxucblxhbkic.co.uk udp
US 8.8.8.8:53 ocibrtteqvueskv.info udp
US 8.8.8.8:53 prdnclhahkgxtaa.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 s3-w.us-east-1.amazonaws.com udp
US 8.8.8.8:53 s3-w.us-east-1.amazonaws.com udp
US 8.8.8.8:53 iitmbifpslyiucb.net udp
US 8.8.8.8:53 vmolbdljkycceda.biz udp
US 8.8.8.8:53 jdrucsrvpxvjedb.ru udp
US 8.8.8.8:53 whmtcnxphlydeqi.org udp
US 8.8.8.8:53 ksyinbctlfqlgid.co.uk udp
US 8.8.8.8:53 xwthnvindstfpqg.info udp
US 8.8.8.8:53 lnwqoloairnmikt.com udp
US 8.8.8.8:53 yrrpogutafqgiff.net udp
US 8.8.8.8:53 mrcursomnjjcdtt.biz udp
US 8.8.8.8:53 nhwhcnslfrqreib.ru udp
US 8.8.8.8:53 nmadsdbskvgdmjc.org udp
US 8.8.8.8:53 ocupdxfrcensehb.co.uk udp
US 8.8.8.8:53 ochqellqgdbfdtd.info udp
US 8.8.8.8:53 prcdogppxliuepo.com udp
US 8.8.8.8:53 pwfyfvxwdpxgfkc.net udp
US 8.8.8.8:53 qmalpqcvuxfvwpf.biz udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 smtdsyloektersu.ru udp
US 8.8.8.8:53 gqocsqbcuestrau.org udp
US 8.8.8.8:53 uerawjxbdjbrrol.co.uk udp
US 8.8.8.8:53 iimywbnotdahbmt.info udp
US 8.8.8.8:53 uwyyfriswelhdvn.com udp
US 8.8.8.8:53 ibtxfjxgnxkwdkr.net udp
US 8.8.8.8:53 wowvjcufvdsuvyn.biz udp
US 8.8.8.8:53 ksrujtksmwrkfea.ru udp
US 8.8.8.8:53 wvcljjuwyiatdxa.org udp
US 8.8.8.8:53 xlwxtbispwlnusi.co.uk udp
US 8.8.8.8:53 ynainthjxhhhdiy.info udp
US 8.8.8.8:53 aduuxlufovsbeqy.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 yghhvcrbrcrwdua.net udp
US 8.8.8.8:53 avctgtfwiqdquwm.biz udp
US 8.8.8.8:53 bxfeamenqbykvmi.ru udp
US 8.8.8.8:53 www.vikingwebscanner.com udp
US 8.8.8.8:53 cnaqkerjhpkewcm.org udp
US 8.8.8.8:53 qyymelcaulqayex.co.uk udp
US 8.8.8.8:53 ebapqgitwwttimb.info udp
US 8.8.8.8:53 rtwufchmopvrbav.com udp
US 8.8.8.8:53 fvxxrwngqbylbuh.net udp
US 8.8.8.8:53 upekjqkenqjurpl.biz udp
US 8.8.8.8:53 irfnvlqxpcmobqk.ru udp
US 8.8.8.8:53 vkcskhpqhuombea.org udp
US 8.8.8.8:53 www.vikingwebscanner.com udp
US 8.8.8.8:53 jmdvwcvkjgrgbrh.co.uk udp
US 8.8.8.8:53 yuhqivhvxqomvdm.info udp
US 8.8.8.8:53 aiiygqluaioxwyx.com udp
US 8.8.8.8:53 apfyjmmirutexns.net udp
US 8.8.8.8:53 bdghhhqhtmtppsv.biz udp
US 8.8.8.8:53 dlmonbpaqvhhaus.ru udp
US 8.8.8.8:53 eynwlvtysnhsbja.org udp
US 8.8.8.8:53 egkworumkamyjxp.co.uk udp
US 8.8.8.8:53 ftlfmmylmrmkbvo.info udp
US 8.8.8.8:53 bdydvcivafnqxwy.com udp
US 8.8.8.8:53 ofagitxjnlycxld.net udp
US 8.8.8.8:53 duwaasnuvrmnqnn.biz udp
US 8.8.8.8:53 qwxdmkdijxxyasa.ru udp
US 8.8.8.8:53 svfenygngqrwqmd.co.uk udp
US 8.8.8.8:53 hlcxfxvyowfiqub.info udp
US 8.8.8.8:53 undbrplmcdqtasj.com udp
US 8.8.8.8:53 jyhhamnddktuxiw.net udp
US 8.8.8.8:53 kmipxebyqwlopkj.biz udp
US 8.8.8.8:53 lqfeedscywsrqnt.ru udp
US 8.8.8.8:53 megmcugxmjklrdx.org udp
US 8.8.8.8:53 npmffrvhvpmpcwt.co.uk udp
US 8.8.8.8:53 odnndjjdjcejtrc.info udp
US 8.8.8.8:53 phkcjibgrclmcba.com udp
US 8.8.8.8:53 qulkhaocfodgdja.net udp
US 8.8.8.8:53 fbvrfkflnwvvjoy.biz udp
US 8.8.8.8:53 sdwurflfpiypswc.ru udp
US 8.8.8.8:53 gvtagurrkjswspy.org udp
US 8.8.8.8:53 txudspxlmuvqskk.co.uk udp
US 8.8.8.8:53 hlbnrppqkpuxjcf.info udp
US 8.8.8.8:53 uncqekvkmbxrsde.com udp
US 8.8.8.8:53 igyvsacwhcrylev.net udp
US 8.8.8.8:53 viayfuiqjnuslrd.biz udp
US 8.8.8.8:53 nwevjukhqctigtg.ru udp
US 8.8.8.8:53 okfehpogsttthpr.org udp
US 8.8.8.8:53 orcekfwnnoqjpjo.co.uk udp
US 8.8.8.8:53 pfdmiabmpgquhor.info udp
US 8.8.8.8:53 phjrvaumnuskrbt.com udp
US 8.8.8.8:53 qukatuylpmsvspb.net udp
US 8.8.8.8:53 qchawkhskhpltrs.biz udp
US 8.8.8.8:53 rpiiuflrmypwlpr.ru udp
US 8.8.8.8:53 pfviwblksoktgsy.org udp
US 8.8.8.8:53 dhwljsbxguvfghd.co.uk udp
US 8.8.8.8:53 rwtfblxwrnrhgop.info udp
US 8.8.8.8:53 fyuindnkftdsptc.com udp
US 8.8.8.8:53 rpbejgvpphjvgdv.net udp
US 8.8.8.8:53 frchvxlddnuhgkv.biz udp
US 8.8.8.8:53 thybnqicogqjygv.ru udp
US 8.8.8.8:53 hjaeaixpcmcuiee.org udp
US 8.8.8.8:53 yofuydenjgirxmc.info udp
US 8.8.8.8:53 ascjfvdeusxlguo.com udp
US 8.8.8.8:53 bgdrdnqaifpfhks.net udp
US 8.8.8.8:53 aljinqbwsmparot.biz udp
US 8.8.8.8:53 bykqliosgyhtjjc.ru udp
US 8.8.8.8:53 cdhfrbnjrlwnkgc.org udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 dqinpsbffxohloc.co.uk udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 pexrptksmrxpvp.info udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 dissjoqxikceff.com udp
US 8.8.8.8:53 qdirckpisfgoxw.net udp
US 8.8.8.8:53 ehdsvfvnoxkdxv.biz udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 tmcytmjjodbraq.ru udp
US 8.8.8.8:53 hqwanhpokvfgjn.org udp
US 8.8.8.8:53 ulmygdoyuqjqjw.co.uk udp
US 8.8.8.8:53 iphaaxueqjnfjd.info udp
US 8.8.8.8:53 tngagfmomjdlhp.com udp
US 8.8.8.8:53 udbokaqcinvrip.net udp
US 8.8.8.8:53 umqasvreswlkji.biz udp
US 8.8.8.8:53 vclowqvrobeqbu.ru udp
US 8.8.8.8:53 xvkhkxlfougnaw.org udp
US 8.8.8.8:53 ylfvospskyytbe.co.uk udp
US 8.8.8.8:53 yuuhwoquuiomjo.info udp
US 8.8.8.8:53 akpvbjuiqmhsbi.com udp
US 8.8.8.8:53 ixaqhrkaebgkuj.net udp
US 8.8.8.8:53 vcurbjacqysquf.biz udp
US 8.8.8.8:53 ktknyipvmwtwnr.ru udp
US 8.8.8.8:53 xxfosafxyugdwb.org udp
US 8.8.8.8:53 mgexlkjqgmjmyn.co.uk udp
US 8.8.8.8:53 akyyfcysskvsyq.info udp
US 8.8.8.8:53 ocoudbomoiwyyo.com udp
US 8.8.8.8:53 cgjvwseobgjfif.net udp
US 8.8.8.8:53 mhiyxdmkestxdw.biz udp
US 8.8.8.8:53 nwdncuarqcemud.ru udp
US 8.8.8.8:53 odsvptrgmohkvq.org udp
US 8.8.8.8:53 psnktlfnyxrywn.co.uk udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 qpmgcvlbgewavh.info udp
US 8.8.8.8:53 rfhugnyisnhonu.com udp
US 8.8.8.8:53 slwdtmqwoakmvt.net udp
US 8.8.8.8:53 tbrrxeeebjubwx.biz udp
US 8.8.8.8:53 upwhftyjduvsyk.ru udp
US 8.8.8.8:53 itriyofoynahia.org udp
US 8.8.8.8:53 vohhrelmcvvbiw.co.uk udp
US 8.8.8.8:53 jscilyrrxoapiv.info udp
US 8.8.8.8:53 wrbtsmvnjfdnkn.com udp
US 8.8.8.8:53 kvvumhcsfxhctk.net udp
US 8.8.8.8:53 xqltfwiqigdvmh.biz udp
US 8.8.8.8:53 luguyroveyhkmn.ru udp
US 8.8.8.8:53 yyfpvfbfdmbokq.org udp
US 8.8.8.8:53 aoaeaafsyqtulq.co.uk udp
US 8.8.8.8:53 axppipnicnbwto.info udp
US 8.8.8.8:53 bnkemkrvxrtdlb.com udp
US 8.8.8.8:53 bbjcjxxjjwijkn.net udp
US 8.8.8.8:53 cqeqnscwfbbplu.biz udp
US 8.8.8.8:53 catcvikmixirms.ru udp
US 8.8.8.8:53 dpoqadoaecbxem.org udp
US 8.8.8.8:53 njygwrynucvyas.co.uk udp
US 8.8.8.8:53 bnthqjophaifao.info udp
US 8.8.8.8:53 pfjdocldvprcag.com udp
US 8.8.8.8:53 djeeitbfineijp.net udp
US 8.8.8.8:53 pldskkvrbmdtly.biz udp
US 8.8.8.8:53 dpxtecltnkpalc.ru udp
US 8.8.8.8:53 rhnpcuihcaywen.org udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 fliqvmxjoxldne.co.uk udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 rshondbxutjmim.info udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 sicdruofhdtbas.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 torlfnnnvhfpil.net udp
US 8.8.8.8:53 uemajfbuiqpeji.biz udp
US 8.8.8.8:53 tulbbvxcbeqhim.ru udp
US 8.8.8.8:53 ukgpfnljnnbvaa.org udp
US 8.8.8.8:53 vqvxsgkrcrmkbm.co.uk udp
US 8.8.8.8:53 wgqmwxxyobwycq.info udp
US 8.8.8.8:53 mwawtvivgrxquh.com udp
US 8.8.8.8:53 aybcaqobmymbee.net udp
US 8.8.8.8:53 6pi3jrqjbssfh6gu.onion.pw udp
US 8.8.8.8:53 nvkwgmnlmfgpwo.biz udp
US 144.202.70.158:80 6pi3jrqjbssfh6gu.onion.pw tcp
US 144.202.70.158:443 6pi3jrqjbssfh6gu.onion.pw tcp
US 8.8.8.8:53 bxlcmhtqsmuawu.ru udp
US 8.8.8.8:53 r10.i.lencr.org udp
GB 2.18.27.71:80 r10.i.lencr.org tcp
US 8.8.8.8:53 qfeexbqaoirtnp.org udp
US 8.8.8.8:53 r10.o.lencr.org udp
DE 184.25.51.82:80 r10.o.lencr.org tcp
US 8.8.8.8:53 ehfjevwfupgewf.co.uk udp
US 8.8.8.8:53 reoekrvpuvaswv.info udp
US 8.8.8.8:53 synlogosttloeq2pwb4w6zaibacubnedji46bmsd3mhapesyeqa4xpqd.onion udp
US 8.8.8.8:53 fgpjqmcubdodwu.com udp
US 8.8.8.8:53 usibxhopohbbuu.net udp
US 8.8.8.8:53 vgjlpcsduechvc.biz udp
US 8.8.8.8:53 vrsbkxtfuujawn.ru udp
US 8.8.8.8:53 wftlcsxsbrkgoh.org udp
US 8.8.8.8:53 ybmicmwtwxueyj.co.uk udp
US 144.202.70.158:80 6pi3jrqjbssfh6gu.onion.pw tcp
US 144.202.70.158:443 6pi3jrqjbssfh6gu.onion.pw tcp
US 8.8.8.8:53 aonsthbhduvkaj.info udp
US 8.8.8.8:53 synlogosttloeq2pwb4w6zaibacubnedji46bmsd3mhapesyeqa4xpqd.onion udp
US 8.8.8.8:53 aawiodcjdlddib.com udp
US 8.8.8.8:53 bnxsgxgwjiejan.net udp
US 8.8.8.8:53 fqcvltidrtmjto.biz udp
US 8.8.8.8:53 ssdbrlxfbuwptr.ru udp
US 8.8.8.8:53 hmmsdknyapavmw.org udp
US 8.8.8.8:53 uonxjcdbjqkcvn.co.uk udp
US 8.8.8.8:53 jygdpyqhakgmma.info udp
US 144.202.70.158:80 6pi3jrqjbssfh6gu.onion.pw tcp
US 144.202.70.158:443 6pi3jrqjbssfh6gu.onion.pw tcp
US 8.8.8.8:53 wbhivqgjjlqsmv.com udp
US 8.8.8.8:53 synlogosttloeq2pwb4w6zaibacubnedji46bmsd3mhapesyeqa4xpqd.onion udp
US 8.8.8.8:53 luqahpvdigtymb.net udp
US 8.8.8.8:53 ywrfnhlfrhefvk.biz udp
US 8.8.8.8:53 nmkapfolajlpqo.ru udp
US 8.8.8.8:53 oalkhwcsjaqaic.org udp
US 8.8.8.8:53 piuwhvthifycji.co.uk udp
US 8.8.8.8:53 qvvhynhorvemkm.info udp
US 8.8.8.8:53 ruohtkwpiafsug.com udp
US 144.202.70.158:80 6pi3jrqjbssfh6gu.onion.pw tcp
US 144.202.70.158:443 6pi3jrqjbssfh6gu.onion.pw tcp
US 8.8.8.8:53 siprlckwrqkdmm.net udp
US 8.8.8.8:53 synlogosttloeq2pwb4w6zaibacubnedji46bmsd3mhapesyeqa4xpqd.onion udp
US 8.8.8.8:53 tqyelbclqvsfus.biz udp
US 8.8.8.8:53 ueaodspsamxpvp.ru udp
US 8.8.8.8:53 riymjvuswymqdb.org udp
US 8.8.8.8:53 fkarpqbxdgbbmx.co.uk udp
US 8.8.8.8:53 shjmvghvvamymn.info udp

Files

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

MD5 04fb36199787f2e3e2135611a38321eb
SHA1 65559245709fe98052eb284577f1fd61c01ad20d
SHA256 d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512 533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\pending_pings\f68895bb-3155-44a6-86a5-e5f0646d747d

MD5 ac597de264fbbfdd94b626d43cb38ca6
SHA1 b387aa9a221fcecf89e763177132d2370420389b
SHA256 2c02704ec79d24e6726bf0edf4e5365c948d1d347d60635850ff30804a9bc06a
SHA512 9405b3c51a1dca977eaaf4756960eabd7d4ab523e07a89c459c84d9e7d22e4e22f7261cf9e4caf309a40b9cf12dc8f3e776a392b28684054c70cd5410fb8d0f7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\pending_pings\f2c2bee5-edb8-4def-8014-2a4e2ce8aa8e

MD5 d671818131f1e56f5a16202a8303b656
SHA1 47fa828b6b3b9b0aed8deb522aa1465a02b9d2e3
SHA256 18e392c905f9d4cde00c08a2834cfb112da8b978661c55060cda55d9e2148ae8
SHA512 a3efc7f48ab07b8b6a02b2690dfa6d133e6a5213e622be519624eee5654d2ae07eb5eaf6b730ab95f8dc554d6efc1f57abe1ad150890049a9bad655957c3fc0a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\pending_pings\e5f68724-deb7-4b2e-9b07-8188a5cd233d

MD5 0777b24a644179f03354c144ce2689ac
SHA1 ad63dcbc66359f3b285f0f9f7ff375bb3e8a332c
SHA256 14edc813f62948d7b3fb733cf2e3268affab68204d711d643bc5f50013238561
SHA512 015cca04d5e4f5131b293e45b5f74f19f5a480cc684b5664d5b262f782118c68794cca90fb0b6bc9d099188665f3a2906823d7eb0b11e85afa9bb80aeee5718b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\pending_pings\6923a38f-d37a-451c-88f9-24874fb47acd

MD5 4e1467e59dc5c44a0c6cd07bf10ebcba
SHA1 487414cbd8353d15f60a2de1a4c9a30c7b2e55ca
SHA256 2acc904dd87d23be9cce48154419f24d2788e77723452d5a0ad66b94597c3847
SHA512 0a3ded098a86a4813eee7ae7f9891eb084771288fd8f41ec0c123e82e8ed3df3c5b500d287135d7ee0d9218f9eb5a7a9b35b4ca5b83e384ec4c2796a0752b09c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\pending_pings\04307c7c-6f85-4c25-a569-b77a463ade33

MD5 b265f25ab045b2d008033f3e33e00375
SHA1 4f4d59850b517c4a1419b996f4f75284c769d000
SHA256 43b074683e6dfb31f67e89139657f7fd9b123a618b477f1f31b3e064299028a1
SHA512 35127a6ee64ec02f0c15842439f02cd135791cfde539d376c8e9bdf2f89bfb375b63a437dfb7e05038fcccadedd30f5f5494af2639c922ba129e4c97a2bfede9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\events\events

MD5 aa61e3fb809ac45e199d7e4ea1dbec0b
SHA1 b281b4cf407ea8ec5a471bf9b4356ff49feb9778
SHA256 efe5284facfe84ba7090b58e58fc00bdd598faf9bc159b4a4fc20e6c58875436
SHA512 ddf8a26652dfc3ea05a0b32b542dee0bb5e744e65d444de84e7ea7e30d9e9eaee0fbaade42c116392b6eb0c94fd94567e0807861cc5c801f1b9e864c8d604bcc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\db\data.safe.tmp

MD5 e3febbf6a0be9745aab9c9e94647c99f
SHA1 9def7279f843f02223b781cfebf1ca0cd67a2bef
SHA256 81f6c67029fa036ed6e64262345c247ccd22adb1d849c0a0c6f7a17d2e13ee85
SHA512 01cc0fb013646a3a407b566a499b1c28ae406b38e5023cba7d8bfefe014deee1106f013753d7aa2a9736ae7017ee14e0d001fabc20c8bc1280819c201eddd743

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xagz0so7.default-release\activity-stream.discovery_stream.json

MD5 aa2ec91efc57292719b20af341397b7d
SHA1 2b611f8da82b3b54590cbf527187c8d5e98c4931
SHA256 2540442b830b629b6fe47cf858043a16385f0eed01cae35d6f7d19d820286d69
SHA512 582bd85912ee137a8bd4361acf8821aede7badab76845857ec1986286dd16143449ffade5f0d7c06a4ca370f8da908cc3dc9bc83400b32147789d2d64813e042

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\db\data.safe.tmp

MD5 827b3b543ce5064561360ddfc66b41b0
SHA1 557aa2514cd92c529457efb9120c14ba3bbf150c
SHA256 33430e9fdc17f39faba8a9af3e2b0c958d8f30619e2923ace9cf0d37b83e4be0
SHA512 4fd83d985757e6928e34a637fd050c6dd7b99f1ff72023a8705f618acb237f8de3d02fd9f94001ae376b3744e861cca88764a1a975b5fadb454d54ec0e492bda

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\prefs.js

MD5 d558e09c61c247c7a096f608f3bf5aa5
SHA1 9aaa0abf8b87cc74efebe768591a4d2a6bb4ff0d
SHA256 65ff09723e5a3af362857a5c18830a013d17639d6347adc31833984b65d8bbab
SHA512 1288bc84cec0dfee3763013ada39422878c86eb4e9834ec469438b71fdc33dc595d30dc3732e96aa27771cba3817aa0a1073e8ab6c315be5ef955cda9715ab41

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\prefs.js

MD5 dc7ee161cba91e76007f676d5dc5bfd3
SHA1 7515cf47a4f62131b5ebde97f6c2ac2445fd3b71
SHA256 8c528151e113bb2443496dc6d6dc323d36498b90753a7617fe135fa32d9b949c
SHA512 43effe0d9d90175492a03e4afddb25f770eb8b1ddafb0d1b68c89a4c02fa7902fc69872ff57fe1d8ad262e4926d8f9e50005054d7c9611b16137d0f147515280

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\AlternateServices.bin

MD5 8107dfc17c18792151ebcb129b0c448e
SHA1 9225567b19b5c0fe0f895d0ce4a203bd4b859a8e
SHA256 b0d6bb6307ed88d1b1dda1825996abe9dae3ed8f66d00dcca243f1f07fe40afe
SHA512 272a246398e06b0ff2d062b5c332b8c4fd0e441533223397ab2da77d9d2d102fd405c0bc035a60c1d972a71955197f2285fe179e70395466ef848dc87796139d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\prefs-1.js

MD5 f2c0692c4c84341a7465ea16a27576af
SHA1 1d38108aa430c7fb71d0127dd864db847034ad0b
SHA256 e7bfe6b0bc53262e07ff6a6cdc5528555ce2a57c371f8778c3b9703d597b74e1
SHA512 f9476a243cdd8adbfc1186f6320dc536653f5219b01f470d8e9b188319687aa3d9262fc2b353f7662615d7a6f706c72b3c8cd6ed2ccef63a562a9136eddccc91

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 219994701ae94dfad41c2e382e2129e4
SHA1 c0360bbc40db12652b31aede77f75017231fd076
SHA256 c738e15c946ce7e145f5b9daa8dea305d891ad936351d321b6f6217820cf699c
SHA512 36063a36fee95ec9b56bd09fba451668406fd8889984d6298ed533e60d9db60221914d8923f639cd3c40b5f37452dc2853e73283bfb010670c80cb52026b7c29

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xagz0so7.default-release\cache2\entries\73EC3764FB3BA737E60C1F3545992FF513570DA7

MD5 f0313381cabf78e6bbdb3f75781db964
SHA1 a6aeb51d4d2322d64d56f312449a94b9f7a5963f
SHA256 6b0884a2c822f6ff29795aee6c3c72568c2e13dd0dda75768357753d86fb2d79
SHA512 46a75136689c048bb3404e0a67deb4c0128e8208cc6410ebcd92a0275677e9a326c434e03fb9508cf27e9832e64e9dda64c21aea94418000ab547a9538b9746e

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 25e8156b7f7ca8dad999ee2b93a32b71
SHA1 db587e9e9559b433cee57435cb97a83963659430
SHA256 ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986
SHA512 1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\extensions.json

MD5 67010fbb98669406aab16ce1f8697d29
SHA1 e7756f9c10d1eb9f87f486af2be91109e438eb97
SHA256 643d5ecddbebf6339497c61c18958c40432116a602822dbc21243653de5851ae
SHA512 6f2f45432f66d7f70fe11e64aad6359db7eac64ec886492449c06be028637b0d821ce4ab5748d893b0fc3853955e8b14a81a617f5919468d4af361b8a763c8c1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\prefs.js

MD5 40ff74b43e11a06113badb67a525ec3d
SHA1 f526fa22735313f8cf2ec4eeb6a3bfa4c0519d30
SHA256 209a8cc747dc41f8e815f9b8dfa87929e702a52d6e85818ab0866822088c141a
SHA512 f914addca23e1415757efbe54f77f0f05a26827db2427e6e081ac19714182286f1e2024aa6502598536b9a6ec4a8a65a25cdb5b08965c8287ab0918b762e57c2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\sessionstore-backups\recovery.baklz4

MD5 e399d6ca4ce82324c25d56865731129d
SHA1 388f0f903ec63e1dc284ef33494d95b26feade42
SHA256 20a907612d70533509b229fd288d6fe152a565518a8abd23198b2530a0d50f53
SHA512 268a6725ca3ad48ab8daf4db78357791515f01aa637cb05d2d516a8efc80fee63da25336a91d09f8361d321a6f96beb094965d53397c1e8ee44879c021210900

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\prefs-1.js

MD5 906eec503dd1ec4adc575be2170d90e9
SHA1 911a69be799819736973037d705d6073abce8e50
SHA256 0e99af32c7b28341c2a66032724e46757587851c48e219268e984140a1fa1f69
SHA512 07f813881bfa57ac3c7380b0676e3c8f6b85242154dae22a2c2ee048c98d8073f8c6959f82a3dcaca917faae866917d6dcaa45f8fb476cbb4f3eca1016a20f57

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 e690f995973164fe425f76589b1be2d9
SHA1 e947c4dad203aab37a003194dddc7980c74fa712
SHA256 87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171
SHA512 77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

MD5 ae29912407dfadf0d683982d4fb57293
SHA1 0542053f5a6ce07dc206f69230109be4a5e25775
SHA256 fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6
SHA512 6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

MD5 626073e8dcf656ac4130e3283c51cbba
SHA1 7e3197e5792e34a67bfef9727ce1dd7dc151284c
SHA256 37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651
SHA512 eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 bcceccab13375513a6e8ab48e7b63496
SHA1 63d8a68cf562424d3fc3be1297d83f8247e24142
SHA256 a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9
SHA512 d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 72961f7cebb42f7b8a0c715affdf61e7
SHA1 362bfeffbd5db83be9ba2d7030aa63ed88ee5928
SHA256 ae7d231992b1c90071a390a854191b27a56cd42bae71c9aef7e6858540a5fa9b
SHA512 11b0fc73d127f7f220baadea96bf0a174b2ca46a4a6758af4e091fad24934d56d88fce891efb4ebe970cc66149e7fa4bdb166983e69e7c97c982859434b76e14

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

MD5 32aeacedce82bafbcba8d1ade9e88d5a
SHA1 a9b4858d2ae0b6595705634fd024f7e076426a24
SHA256 4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce
SHA512 67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

MD5 1b32d1ec35a7ead1671efc0782b7edf0
SHA1 8e3274b9f2938ff2252ed74779dd6322c601a0c8
SHA256 3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648
SHA512 ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 029727d8607ef95a0e51bf3e2277ec34
SHA1 e3b8f74047eaf83671e0bb4e146ff10a38591aaa
SHA256 340ac529baead9aa4edd81985c7933c84279cffd133e8ce3a466ab1501c38069
SHA512 5774f3d2a2529b5d3a724afbd7ec3490480c6fc965c0d92584c00c54a910d4919539154fb2bada44e3d653a97f16fe393dd07d3dada6e9b04a2e9bc13ff2720b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\AlternateServices.bin

MD5 74e4287d9f9e526549fe8a25d24761e6
SHA1 68ad12ea1f2387721b118a17a97f37d8679dd6d5
SHA256 46916a5660fc1915bc78f2848fd484059ec94390e592407acd5e31e93c373f49
SHA512 6d298edddaa41ba27e6ebdebab21dedf07119e5d23df7e84938f6e4bb903e22ed0a7c1543a0b1dbdb3caa61324e4d7f5f61868b3d3e30789148f0d556d1aefbc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\sessionstore-backups\recovery.baklz4

MD5 bbf67cac45b5952d402a3cbecb7ad4b4
SHA1 f507766fb3ddabe62fffdcbe9b78b137633271b0
SHA256 881bfb72f12688918d45884be9de6b08fded3ea6233c0e52e8f4b94ddfed47ef
SHA512 d4bf081750ea52b861bdd816b302a85db7d928e98f2886da25f215489f41d5fecc5390d4dee1309cc949964afa341cbc0481235b1ebea120040df24eeef53391

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\events\events

MD5 53701664953d755f9020585b6471cc23
SHA1 40fc12a58d82e41fdaed825585003ce45b9f5bc0
SHA256 74da83021bef675ad879e013b86eee9cc6e100a8d3f3a99918e28e75578c43db
SHA512 621b407a59e0c39a10ab394576bb1d0ef9c2a0dbf6ae4630a3fdaf31b6ed7a7411b5abf00da12b98076d06af1b98d79d6e1e6c5c95c11110c10c747926206d5a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\sessionstore-backups\recovery.baklz4

MD5 8d9358a9a7a6b62f04bed88703d840c7
SHA1 d3375ef3579c6f9a408dda535ff6d7a19cc86ef0
SHA256 51bb0f710851b86449e55f8ec2cf585b1bbccd40a4f17c83207cc35d69a10956
SHA512 242029cba813793010563f85bf1ca40da0f1b288a5faf23e57f0f804808f06e17b3ee0420c45abef22757df3d7e07cbc15456ae05d6ab5cdef3eccad3d533ea2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\sessionstore-backups\recovery.baklz4

MD5 c10027558c62ad670bb16baad4c966f9
SHA1 2b3bc9ea73a64c56abdda9e280fdfca6aa67855c
SHA256 132eaa7fe5c7251989357c4f71283f3e111adcc2cf7b6373bbf9b84bde33a320
SHA512 ed53f06581d06044c9a5ec3eb39afcf66c3e1b17d83dba7863638e572ca215e10e8a20a717f178eeb419cac0fc1857004b977fd7267ab8960d0d05ebac624ecd

C:\Users\Admin\Downloads\AdwereCleaner.exe

MD5 248aadd395ffa7ffb1670392a9398454
SHA1 c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5
SHA256 51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc
SHA512 582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

MD5 87e4959fefec297ebbf42de79b5c88f6
SHA1 eba50d6b266b527025cd624003799bdda9a6bc86
SHA256 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

memory/4960-1083-0x0000000000DD0000-0x0000000000DFE000-memory.dmp

memory/4236-1091-0x00000000222F0000-0x0000000022A96000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\sessionstore-backups\recovery.baklz4

MD5 bae66af88a2611741323a057dfa99446
SHA1 c9ce1bb988a1a77c91f33ab9adf55d86ba17989c
SHA256 a228714ce3de7ae63b989ac406ebb7c5d1f9bec31cfa2a633b6558eac21f6690
SHA512 567346342f2b15b8efdb9167a7356005eaec773e7b8d91dbf257c00455145263850d6c56bc6d447b1a70bf06d81a5ccde0d2e068a17b969fe630ea381626d35f

C:\Users\Admin\Downloads\E89VNdHN.doc.part

MD5 4b68fdec8e89b3983ceb5190a2924003
SHA1 45588547dc335d87ea5768512b9f3fc72ffd84a3
SHA256 554701bc874da646285689df79e5002b3b1a1f76daf705bea9586640026697ca
SHA512 b2205ad850301f179a078219c6ce29da82f8259f4ec05d980c210718551de916df52c314cb3963f3dd99dcfb9de188bd1c7c9ee310662ece426706493500036f

memory/656-1143-0x00007FFF98230000-0x00007FFF98240000-memory.dmp

memory/656-1146-0x00007FFF98230000-0x00007FFF98240000-memory.dmp

memory/656-1145-0x00007FFF98230000-0x00007FFF98240000-memory.dmp

memory/656-1147-0x00007FFF98230000-0x00007FFF98240000-memory.dmp

memory/656-1144-0x00007FFF98230000-0x00007FFF98240000-memory.dmp

memory/656-1148-0x00007FFF95A70000-0x00007FFF95A80000-memory.dmp

memory/656-1149-0x00007FFF95A70000-0x00007FFF95A80000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 1fb803f7ffcc1d7cfef74dcf9fd28e64
SHA1 eae9e565e8dff3297bd9e8061947af0327a626fd
SHA256 dbdee8a238d16f7b68c8c43c17428b1d18793a46e7ce29bc8f79bddab025c31d
SHA512 c00d6faf8d8723578a7480d9618bb7b445951fc3f1c991c1aa0064688de7c8ef694cf50c1b6d6db96b2d8b2f931d5c4586ea0218fb5e0b98175455fa6c9ec7fc

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp

MD5 b16f4faf589dd87229be3ba4ae4ec75f
SHA1 8e8d4d32160808ebe5ecfd39f7ba00dc05da3bfc
SHA256 8cf6aa735959da6e07569be1d74832267b4cd8c8de8f5eeeb2288cb1f6e8554a
SHA512 a626efdec0914112574867e47d71e2a0690658eebee08ea77452091af112f59363f4a80abaf37a59562ca65b99f62ef8c799e79cb8576be725d5ccab986d282a

memory/656-1257-0x00007FFF98230000-0x00007FFF98240000-memory.dmp

memory/656-1256-0x00007FFF98230000-0x00007FFF98240000-memory.dmp

memory/656-1255-0x00007FFF98230000-0x00007FFF98240000-memory.dmp

memory/656-1254-0x00007FFF98230000-0x00007FFF98240000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\sessionstore-backups\recovery.baklz4

MD5 086de68df246f8dfc865d39517b7d49f
SHA1 33b68ce035a3b1fc9f9615daab25affcd9540be8
SHA256 5f621579574f6072ed06183f886ff8b74f56612dddfd8f97d1c9d3fd0558a98c
SHA512 2e8db2517c1fd85bff4fd6bd9165d0c113d1281388721f2dcfa174ee7e42dda4b76e50ae72546bf2cf403be93d8c03543d13ac2ab881e12e7782308e74ea6ee9

C:\Users\Admin\Downloads\Nghwmpo0.com.part

MD5 93ceffafe7bb69ec3f9b4a90908ece46
SHA1 14c85fa8930f8bfbe1f9102a10f4b03d24a16d02
SHA256 b87b48dcbf779b06c6ca6491cd31328cf840578d29a6327b7a44f9043ce1eb07
SHA512 c1cb5f15e2487f42d57ae0fa340e29c677fe24b44c945615ef617d77c2737ce4227d5a571547714973d263ed0a69c8893b6c51e89409261cdbedff612339d144

C:\Users\Admin\Downloads\Walker.com:Zone.Identifier

MD5 dce5191790621b5e424478ca69c47f55
SHA1 ae356a67d337afa5933e3e679e84854deeace048
SHA256 86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8
SHA512 a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

C:\Users\Admin\Downloads\WinNuke.98.exe

MD5 eb9324121994e5e41f1738b5af8944b1
SHA1 aa63c521b64602fa9c3a73dadd412fdaf181b690
SHA256 2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a
SHA512 7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\sessionstore-backups\recovery.baklz4

MD5 f774d7948359c0aabc2b4bf3d28e73bf
SHA1 64e3ae55356d69cdf01014d20103314bf18d7600
SHA256 00cf24b76b8bfff8f29a525baa87c8425b3bf9991c9619b7dbe89b25b8fcb766
SHA512 b03e9adafe9bab8d09f643bcdea0c3890530c6ea36a31e6438ca3f78470aa8fd08d045b8bef3c9964bf73eadf719b37bacf3cf8cd9fbc517d2f8da839477a7a2

C:\Users\Admin\Downloads\satan.exe

MD5 c9c341eaf04c89933ed28cbc2739d325
SHA1 c5b7d47aef3bd33a24293138fcba3a5ff286c2a8
SHA256 1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7
SHA512 7cfa6ec0be0f5ae80404c6c709a6fd00ca10a18b6def5ca746611d0d32a9552f7961ab0ebf8a336b27f7058d700205be7fcc859a30d7d185aa9457267090f99b

memory/5340-1385-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5340-1387-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5340-1393-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Roaming\Soruo\waruy.exe

MD5 091371cf4a30d31c676e0db0c061f9e8
SHA1 c2d08a982ff708e4d5c2557c063ef6289dc7a238
SHA256 a7377e6613d950ba1e9a8f4a995e6170220cd66ee18d9dd317334384dcc294bc
SHA512 3d056e01e17cd82e3d8356c7e2ec201ddc4e9774e14fc8e9db28d87eb68c2066da23ba7008bca767447cb1c0237a8844213e8f813523643a36bf263997ceaaa2

memory/4964-1395-0x0000000000400000-0x0000000000417000-memory.dmp

memory/5672-1397-0x0000000000410000-0x00000000004CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp_a1977cde.bat

MD5 e47c61f6cd9589ac67595f3f16ff8368
SHA1 40ad40af8908f5a7a0f67d43b0bda6e2e1e18212
SHA256 e869f75d110c08c1540f23a39c5858f1f412dd6d5b282afc7fef4aceec04fd66
SHA512 8f88a23afdd35306d900f18ed0b5438ed1316d9e4d0cf6d32da92c5d47ba0b6a727956b8f8980b03e0e3fe4a6e8ff05c8cd5a4e74b474d894279d265699d5a2f

memory/5672-1398-0x0000000000660000-0x0000000000956000-memory.dmp

memory/5672-1412-0x0000000001020000-0x0000000001137000-memory.dmp

memory/5672-1422-0x0000000003130000-0x00000000031B2000-memory.dmp

memory/5672-1415-0x0000000001410000-0x0000000001510000-memory.dmp

memory/5672-1421-0x0000000002D80000-0x0000000002D8C000-memory.dmp

memory/5672-1420-0x0000000002D40000-0x0000000002D74000-memory.dmp

memory/5672-1419-0x00000000012C0000-0x00000000012D8000-memory.dmp

memory/5672-1417-0x0000000001280000-0x00000000012B2000-memory.dmp

memory/3900-1418-0x000001D976B20000-0x000001D976B37000-memory.dmp

memory/5672-1416-0x0000000001210000-0x000000000123F000-memory.dmp

memory/5672-1414-0x0000000001170000-0x000000000120D000-memory.dmp

memory/5672-1413-0x0000000001140000-0x0000000001167000-memory.dmp

memory/5672-1411-0x0000000000EF0000-0x0000000001013000-memory.dmp

memory/5672-1410-0x0000000000E50000-0x0000000000EF0000-memory.dmp

memory/5672-1409-0x0000000000DB0000-0x0000000000E4E000-memory.dmp

memory/5672-1408-0x0000000000D80000-0x0000000000DAB000-memory.dmp

memory/5672-1405-0x0000000000BD0000-0x0000000000C80000-memory.dmp

memory/5672-1407-0x0000000000520000-0x0000000000542000-memory.dmp

memory/5672-1402-0x0000000000A30000-0x0000000000BCF000-memory.dmp

memory/2204-1406-0x0000023D33B00000-0x0000023D33B17000-memory.dmp

memory/4068-1404-0x00000215243B0000-0x00000215243C7000-memory.dmp

memory/3900-1403-0x000001D976B20000-0x000001D976B37000-memory.dmp

memory/5672-1401-0x0000000000170000-0x0000000000200000-memory.dmp

memory/4964-1399-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\sessionstore-backups\recovery.baklz4

MD5 ae8a2ac8c19e4d61f14d30c926f55f6c
SHA1 f05d0732bc7a53d6aa4f6ceb4670dc0d03a51de4
SHA256 a475f129a90242602b5b77de214e7c68d7efc3d96d8111d4c288df1d82e0fe47
SHA512 4ecd3ff71a6658078cc58154a3f1ffc9817b5dc5b59d2a8b285a4fd2eeaab6552584dce15c45f4abf9f80b7478e7f7b4f84e7203f90e740fa9dde1e89023e8a4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TJ1G4ZBOT4C1FRFOO2QR.temp

MD5 58d8722518f34c4d1c79b32939c0e269
SHA1 a78171f3c8c3b2c56bbaedacc54a26f5966fb1b1
SHA256 d55bef84618c117007fdeebc69fcd7eb20f7d509fdd0b49f6c04713597b803a7
SHA512 1fea42d5cb3a0867129360fcc803e25d7473d4e7cd98d840cb47d41774924acca06401569797c82872e1c49add1122a350257ad147299aa4cc329ff611c2e412

memory/4964-1451-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4964-1452-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4964-1454-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4964-1459-0x0000000000CA0000-0x0000000000CF5000-memory.dmp

memory/4964-1473-0x0000000002030000-0x0000000002153000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xagz0so7.default-release\datareporting\glean\db\data.safe.tmp

MD5 11dc26cd224b24bd5b323c88ee2cd8d3
SHA1 531c0e1b75cb9505f2d2356e271ed58105c96cf4
SHA256 b8e01a1e7448d6bd756bcf586feb2909736ecf4403b4b1132c1f8dc23afbdc34
SHA512 10bf2bc38bf8be3a240558f099389defeb3e43abec99947959033679eceef26f40762b1cbc7d7ffb9184b19a929a32803656a1f82dbf7544e235907b3988be52