Malware Analysis Report

2025-08-11 01:05

Sample ID 240302-t96mbafa7w
Target PolyRansom.zip
SHA256 ed8d4bb55444595fabb8172ee24fa2707ab401324f6f4d6b30a3cf04a51212d4
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed8d4bb55444595fabb8172ee24fa2707ab401324f6f4d6b30a3cf04a51212d4

Threat Level: Known bad

The file PolyRansom.zip was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Modifies registry key

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:46

Reported

2024-03-02 16:46

Platform

win7-20240220-en

Max time kernel

20s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\gyIocYsw\qycQowko.exe N/A
N/A N/A C:\Users\Admin\vYoEUYsI\bCAMcQMs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\bCAMcQMs.exe = "C:\\Users\\Admin\\vYoEUYsI\\bCAMcQMs.exe" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qycQowko.exe = "C:\\ProgramData\\gyIocYsw\\qycQowko.exe" C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qycQowko.exe = "C:\\ProgramData\\gyIocYsw\\qycQowko.exe" C:\ProgramData\gyIocYsw\qycQowko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\bCAMcQMs.exe = "C:\\Users\\Admin\\vYoEUYsI\\bCAMcQMs.exe" C:\Users\Admin\vYoEUYsI\bCAMcQMs.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\[email protected] N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\vYoEUYsI\bCAMcQMs.exe
PID 2912 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\vYoEUYsI\bCAMcQMs.exe
PID 2912 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\vYoEUYsI\bCAMcQMs.exe
PID 2912 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Users\Admin\vYoEUYsI\bCAMcQMs.exe
PID 2912 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\ProgramData\gyIocYsw\qycQowko.exe
PID 2912 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\ProgramData\gyIocYsw\qycQowko.exe
PID 2912 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\ProgramData\gyIocYsw\qycQowko.exe
PID 2912 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\ProgramData\gyIocYsw\qycQowko.exe
PID 2912 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 2572 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 2572 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 2572 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 2912 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2912 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2912 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2912 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2912 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2912 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2912 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2912 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2912 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2912 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2912 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2912 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2912 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2588 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2588 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2588 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2536 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 2732 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 2732 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 2732 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\[email protected]
PID 2536 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2536 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2536 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2536 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2536 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2536 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2536 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2536 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2536 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2536 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2536 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2536 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\reg.exe
PID 2536 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1608 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1608 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1608 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Users\Admin\vYoEUYsI\bCAMcQMs.exe

"C:\Users\Admin\vYoEUYsI\bCAMcQMs.exe"

C:\ProgramData\gyIocYsw\qycQowko.exe

"C:\ProgramData\gyIocYsw\qycQowko.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LUUQQUMM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LIgIwkws.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xCQUUgEM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aEkUwYUs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wMEosAco.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QIgcEUsw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eUoYMIUs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aicgskoQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nGYQUwEA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BYYcQUgM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgUYIAwE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dAEsogIc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ksogwgMo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MiAAccwk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KEQkwQQc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yQYMYYIs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AAYgoIIQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\feUUEsck.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fQEocUkU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\daoUkkco.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xokUIYAA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mkkMIQsk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EGMEsAgs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aaUEgckw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gqcsQIEY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hwQYQowo.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RscocUIw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jCIAsEIk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NmkgYQYk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NmsYsQUY.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gMAMEwUc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CwYMwEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WOwsgQgU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OysYoUYA.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nwQgUUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PikIkIUI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\reQAcIoM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZgYIogws.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OasUIggw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\saUsoAAU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wYMksssw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\usQAoAMk.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NosgMAoE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nEgUIocI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tqcIYEMI.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vMEwEMok.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lIUgIMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UEQEsYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EYYEscYs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WgkAYsUM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kqgkYYco.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hyYccEgw.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DacEQIwU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tSsEkUQE.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TmgckgcM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EAIowkAM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WMkUgYIs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WGIIIwEU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wOssEMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bKIUcowg.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MCsQEwQc.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZYwkAwAs.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZQAMUYok.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WqIIAAMU.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VmwUsYcM.bat" "C:\Users\Admin\AppData\Local\Temp\[email protected]""

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom"

C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 216.58.201.110:80 google.com tcp
BO 200.87.164.69:9999 tcp
GB 216.58.201.110:80 google.com tcp

Files

memory/2912-0-0x0000000000400000-0x0000000000439000-memory.dmp

\Users\Admin\vYoEUYsI\bCAMcQMs.exe

MD5 f44b18ffd1e7ea8507ffe8dfd0629ddf
SHA1 5cfa213f00365201390464179d003a247f83b539
SHA256 8892b9a23c82817078008713bacff2db924fa35a9c97eb4113b562bed9f376bf
SHA512 8eeb9cb88c8e0eda9b1dc39df84ee5f8ca7771a22b2ec716fb8b46ad54c62569561e5a9e9b7c394b9059ae8c642213c1550a91f12596e5b6f91a8cd9df28d80f

memory/2912-5-0x0000000000470000-0x00000000004A2000-memory.dmp

C:\ProgramData\gyIocYsw\qycQowko.exe

MD5 ce3f7fb1f1eee66d3ba2542baaff15fe
SHA1 d90e17019017ea06d0dd9962d07fa15c610d37ee
SHA256 0d0a5dcba76c83bd7ad3201a1a99540572ee15924333128cab3335f7fcde3da3
SHA512 b943468fe546fae2d7279234286a7a18c583eacb31201dd01a40973f95d903c51b9a378824876af77d20685eaf8fec8583d7849f25d5c39b8c0d8709c20afa73

memory/2912-12-0x0000000000470000-0x00000000004A2000-memory.dmp

memory/2912-29-0x0000000000470000-0x000000000049E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bMkUsUwQ.bat

MD5 cd8a142c1d3198146aa640fef5838de4
SHA1 af1e52a118453c1428a8a8b17e3fc8f19806c97b
SHA256 d73ced87a744184fcb4d993000470823ad873810251028a73c2bef307a164210
SHA512 035a3af28151c51fc0c8bb92564da197de8824c31b89433426a6c0d8913f4978f762d04f9b18a9884721d9054a11d3d72985f56396d5f924b927e382a686f2da

memory/2560-30-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2928-32-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2536-35-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2572-34-0x00000000000F0000-0x0000000000129000-memory.dmp

memory/2572-33-0x00000000000F0000-0x0000000000129000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LUUQQUMM.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/2912-43-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\rwsgMUYo.bat

MD5 e7ac47ce92c22e3d5916a231ad183b51
SHA1 ec53df735c950253168019cd841e0adaa6a1cc6e
SHA256 820bc93401293bb7ad3198b891a2fb8cf0ba09080bb82f306220bd38d456afc8
SHA512 cc3c07f0520b705e93523e320d1fb9ccc56ee178831e0324aad14a7b411413b9dd802c88988882d6d464c72928a6efe4bc501d00536c3ad401a80b0e8062b8f5

C:\Users\Admin\AppData\Local\Temp\Endermanch@PolyRansom

MD5 2fc0e096bf2f094cca883de93802abb6
SHA1 a4b51b3b4c645a8c082440a6abbc641c5d4ec986
SHA256 14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3
SHA512 7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

memory/2732-58-0x0000000000260000-0x0000000000299000-memory.dmp

memory/2732-59-0x0000000000260000-0x0000000000299000-memory.dmp

memory/2780-60-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2536-69-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PWUQoQkw.bat

MD5 877be7a56df471ce1471a4f6adfc63bc
SHA1 b7fe0ad316d0a157649f130ef965343a1614dfae
SHA256 8a9c426f3afe26400345e4eead0c9d637491f0222c823700b670dcfd002d3ab1
SHA512 bd4c420b56a08f971607ca042847bd996a8f2db61025227224eeab89141b908604291b6314082e0a0e9b410bdded566a767358d32e0b459846efd7e880b616c7

memory/2036-82-0x0000000000220000-0x0000000000259000-memory.dmp

memory/1688-83-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2780-92-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HqIYEgMg.bat

MD5 eca8c084f44b55fe12c5022694adde7e
SHA1 2297f0472ce9f22e160f9fec3335709a2c97c8fd
SHA256 f6ac9932e2841d3532d6b21e810b9c290d846419d82b3f172edda1ed3d1a0fc8
SHA512 0766002fd3e9918dc1e995dd7450b1c061e63bedecbb59848bb2160b2d4efc84252abc20a603a78589a1ec387f17d6f073a29545d0f247e2c324bc697acd9659

memory/1428-105-0x0000000000190000-0x00000000001C9000-memory.dmp

memory/1428-106-0x0000000000190000-0x00000000001C9000-memory.dmp

memory/1412-107-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1688-116-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aMcQMUUI.bat

MD5 3617be715dd3ea33ee0841e766ec9531
SHA1 07c04256f81f338d904a68a8133a78d468c7beb7
SHA256 d699c9eec1cc7641e0ed7bfe28fc149e8ea4b12ce05f28b36534eba32288b081
SHA512 01b7d66256480123d819c317f815bd4e88645ad0714a326f8867a7ce5e3448ff7938ed51c4c561023792753d765a08b6009c521ae0da661cdf389ab078a8d331

memory/1556-129-0x0000000000120000-0x0000000000159000-memory.dmp

memory/1320-130-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1412-139-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GOUMsQgM.bat

MD5 992b76b11d5cece0c0abb35e60afd821
SHA1 4d6aa12a4584a540cfbcc7ef00bbef12254d883b
SHA256 c70db615bbfdc5378596c20a15acaea3c0dfe472532a8822ed2e87014067be85
SHA512 7cc3b8eb770abeab5bd078a33d8a9e486a91bd87f14050a2b2cf063c2fd10c4b55db0d4dbf6bad4b5bd3bf1b0c5acf9d1d4a84ad44185d7878a043a36bde1d6c

memory/2296-154-0x00000000001B0000-0x00000000001E9000-memory.dmp

memory/2296-155-0x00000000001B0000-0x00000000001E9000-memory.dmp

memory/1052-156-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1320-165-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sSwMUEQg.bat

MD5 c120d6a6d6fef15e70106ad22865b555
SHA1 12b9cc0652eb422eee2b0af5ee51d6fdd1add958
SHA256 e043191216edcecebbe80cd190e737a0ec7b4f6a5defff0416817f43f8147eb3
SHA512 ce2059a0b570b6e5eea6316b866efa3e9bafdb030edd56b3fdc0bbd88ae8e721483a18126a7404da73015e5dc29d6c52e674b51cedd9fbb310f236a9d35fafba

memory/2508-180-0x00000000022A0000-0x00000000022D9000-memory.dmp

memory/2672-181-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1052-190-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cSUcoYAA.bat

MD5 05d9ae4cdca20d43ef947c8428b7e748
SHA1 0f30907b118dcb9877b93227be12ee441f1acd25
SHA256 b38b75c793bda27b3c37712fe4e5408a5f184022de7e9417f8fe42dca6209df4
SHA512 5793713774e4dd0d54a39104303e6ca86550513d85fe2faccb375c36b8a727f718f09b8b384a2cbd51c41c31569cbebb616a7b3ebdd5d675aaf4db1598d74d4e

memory/776-204-0x00000000000F0000-0x0000000000129000-memory.dmp

memory/776-203-0x00000000000F0000-0x0000000000129000-memory.dmp

memory/2672-214-0x0000000000400000-0x0000000000439000-memory.dmp

memory/340-205-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MQIocAYU.bat

MD5 011801a1e5513f3dda990032a15b843e
SHA1 3c34cd101fd643977f2b42179416fb795fd42b89
SHA256 8ce9cb76e6114154dfcd404232d4977f8cea0d4dfa01687ddd6cb60b0275c128
SHA512 f7bdf96451cc33b5d369758901391fffd26d38e551f6112fe71e6874e943ccd93b4f959da25a5e30928b34140b6fea7570e66665fa9e4e53b1103a439c3638ea

memory/2084-227-0x0000000000420000-0x0000000000459000-memory.dmp

memory/1940-229-0x0000000000400000-0x0000000000439000-memory.dmp

memory/340-237-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vuUEkAAI.bat

MD5 cd1e086c83cee8c57e1722a691988b2a
SHA1 1d3df1f41d3081e5956688a25b41849cc18e5c3a
SHA256 464c55bb325029d70939b50a19333ecd36c761630b73d6ae025a8e2f414db564
SHA512 0bd520e9d6d91c309aec0101e14dccf1221ba8558a30928b701d56b3e8cf584dc921bea71576597e4d6d42bb5e94c1870f7172710e073a8a367a1ca4d5d78ce1

memory/1688-250-0x00000000002A0000-0x00000000002D9000-memory.dmp

memory/1688-251-0x00000000002A0000-0x00000000002D9000-memory.dmp

memory/3000-252-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1940-262-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FAQwEAgw.bat

MD5 b45c1f21ffa27357eef8ca64af48669f
SHA1 c5687d0b96628192a281669fb5d69ed77022d9a5
SHA256 7f0213b8f6739c3d9da7f6cb9c459d69ff032695a11b915797e669c9fec25324
SHA512 0ca1423d40d086b4fca06e7c4afe630c012abaf4e7032014ed695006280f8a8dcffcb7d3d231aff0d67e026094d9cafc592ae56c99a12d19c4b2847980d91dc9

memory/1428-276-0x0000000000260000-0x0000000000299000-memory.dmp

memory/3044-277-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3000-286-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XEIoksYk.bat

MD5 3089e144b42199d89e263baadf8f6c56
SHA1 cbe83eb1e2c0f39b13201b592de5cf1d24bb4321
SHA256 028c3667a21e4f7182560d22a1a6cf1975b99132e232689ced79318e6813c17b
SHA512 24d225cf7705f6ae03d587dd270889edb1f852a07935a160ea6044b32477882b50c958767e517a0fdd7241cf74ae43c45c2e266a143f09512a64df5cf1b0ecb1

memory/1532-300-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3044-308-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jaAAQMMc.bat

MD5 47c22e59d26da4757fb2cb56cb79f7aa
SHA1 67374e8266b01dafd8c18e6a4bc589798d25d06a
SHA256 130658c8872a4e9b97d463feeca59410babc35a1b5e0609f67ac592f6616008c
SHA512 7e220bb810f1606472a6c44b60d10ebfbff3a6aea9953e5ec9a7b4e12f96f9c4167ec35d7c11579a0f0c7db142a3f77e049caa5fccc684e8f2878e531b923c53

memory/3024-322-0x00000000001B0000-0x00000000001E9000-memory.dmp

memory/3024-321-0x00000000001B0000-0x00000000001E9000-memory.dmp

memory/2652-323-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1532-332-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AWAAgAAg.bat

MD5 abf44e5f465a150c3a3cb4ffec386791
SHA1 f412377f98e13c44b754123ac792513489e1d15b
SHA256 1ab1448e8608de7db7fd915363f46f0dda1bca8ddd11eef8104ae8c5f0147367
SHA512 ebb26bc454f008100fdeda393747620bdc91cdf530dcefe1ae7854843bedebe930b98e2ec1b6a5a01bb09ce5f2895d1e1cc22c753b5cc24968ac49764cea5353

memory/1156-345-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2580-346-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2652-355-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAAQkoIc.bat

MD5 b2b2cd0df10abb9d353c3afd42048863
SHA1 3f19fc1cf903d0a79bc0bf84ebb36104635bdcfb
SHA256 1b3aa2bc1f99232b9b83a58a8312130af0d0d5e6fa753e2a40936d692d378151
SHA512 7180f4f05cc778b6f63929302c82d2754100aa073d05273a931588de8b4bd350c5ee5d0016dd05ce7488fa5c1d06700f690edfc9f203f8c9132ab246fc527f4f

memory/1908-370-0x0000000000160000-0x0000000000199000-memory.dmp

memory/1908-371-0x0000000000160000-0x0000000000199000-memory.dmp

memory/2828-372-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2580-381-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MkgYoAwk.bat

MD5 15d2c49a209e138d1bb2c7a6518267aa
SHA1 4261406bf90c48636249fcedbe56775ab8075eff
SHA256 1f8838a5c5cd186e01e382000c799c162f42ba690f3c1ff3b99ccd964223e7e0
SHA512 8498a82fa001a1fdae6c8332e93cdf19998308bfef29e0b0c9262df24ea843a6868bfa7f1badcfd67cba9391ec180caee441291d1ddddee2d58df3a7616cde13

memory/2392-394-0x0000000000260000-0x0000000000299000-memory.dmp

memory/1924-395-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2828-404-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GsUcwEsE.bat

MD5 459e887b3536a89fd067a0cabda4ae9c
SHA1 87ace5fb06fa9b12c39493c364de115e88aa52bb
SHA256 035ccdbf90c451b7bb0a5d4ade7b1a545f4c847b9d31498db51210bdfda973ea
SHA512 a0dc3d3f44f6e985f9335047e0dfbc1f3a2cbf9361680ff23c0aa89e703cec31600f4457bf74c80d7b7e0265eca44be6daeebfed1a5db5929d47e8f52fcc43d1

memory/1652-417-0x00000000001F0000-0x0000000000229000-memory.dmp

memory/2848-418-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1924-427-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NoYQowoc.bat

MD5 412fe325cf698fc7c010a4f770649f97
SHA1 372d038567a055751eab9c71cfa67a6befe415b8
SHA256 3526119c3d62bc5597fea272f217ddf3b0276aa3faa47756d98ce0ec5fcd4a30
SHA512 94a5fed887f84f492d99bbbb3889d2df9f63a599821680b2c470f2db8a7e095a0f6d3e0bd29d1900ccb5c53bf67a1b3f9748225362db9701982db359a8e8cc55

C:\Users\Admin\AppData\Local\Temp\BYYYssAA.bat

MD5 96e9092a2e7c8cd756f3df607287f351
SHA1 2cd0c22da27da6d671b403f3671a9e981c1bae0a
SHA256 bf82660a54fcbf3b7e832c760be541ba791c99371731ff82e82adb804fa3f357
SHA512 b5cd014a1f17f8511185e9455cc85b0c30a55d83f9ad75535c777ddb56c5d01d9d04ff1e25221560e34130236b70c30e4b2266530256433357d29e15a81cafce

C:\Users\Admin\AppData\Local\Temp\tkEQQkMg.bat

MD5 24331fa0cfa1c78adc526b92c3f572a3
SHA1 f448a1574a594e45d397e6c55d311f69bad703e3
SHA256 8f6020a1791b9460ebefd346d4e7b51d60f0ebd0d4161e93c1d9913fbd97fede
SHA512 b109f96642363570c1fd6d21eeec95ab1d29f937927043aaa2d4dc1f5bf4bdf8e01a5b423986d0a860f9263548969f25ef88f485a7293cfc25628142feb27a00

C:\Users\Admin\AppData\Local\Temp\LgAoIYYo.bat

MD5 93dd80802d59d3291750f188e1989346
SHA1 d23aeb55e0d6c7efe3ea0abf36b97359fc8cd893
SHA256 fd8b35e38df4f6b1a240e7ae542eb4336a05d220f81d1bd91731857c853f7d0e
SHA512 db1f2053a76384449d9813d837a13ad09df34f1836eb8bd1df122ecdb965c496a6f5348aaaa3e34a882c9a80880afd8b22a36c8aa329796630d806b2d8f2f98b

C:\Users\Admin\AppData\Local\Temp\bcgwUssw.bat

MD5 c9f8dcfa41f453a8e8a80cbe09d3112e
SHA1 135e2b64990c69b377f92caacb2d2d347d363a2b
SHA256 8d0716ad812cfc52c01f3417c7bf655a3b6852a5df4cadfec039c83eec854ff2
SHA512 407a3d4943bfcf2ac2b6f28d303da257329941e7b73b4ba8241abf9901b07829bcd6420f04dd4c68f641ddaa20b7dd512f4284b2daabdd8687ac80bf935987e8

C:\Users\Admin\AppData\Local\Temp\GKAYEckA.bat

MD5 4b0c85005fb25bff8b5b1d9fc11d8911
SHA1 7732b65b7b2bc5ff435005ce73741e5e3f9d2602
SHA256 f6eb4c39f52621e5cd95ffe560b41481f89ec432e66e2d3cfc2fea5ff9f32651
SHA512 7b7bd8e1ed153a354c788ad56d52e0521e198ad887f792e77eef50f6d6b1c97b9c37161611114ec50d4a5caf471db5a216a8cf682a85a3f94bcac121131b832f

C:\Users\Admin\AppData\Local\Temp\GSkIAcwI.bat

MD5 f4e583fe1ccb403670a52c2e346e08bd
SHA1 3880e4ae8de02298bbb472193c8c7aa93e4ec916
SHA256 cffd5ae70eccf2b60b3cf8ed0f8c46d62448ae62a64897739538d4052ffe22c7
SHA512 3611c2bc522e47320cf2612d1129bc5b381560d3d216969a0577fa339f02e29801c7696c34a52559d2dec7875f6292264eecec7750abe564b6e2e45a9e89f922

C:\Users\Admin\AppData\Local\Temp\iOgYMkEY.bat

MD5 2f14c8941f9a9f1aaf77c5cf8f3d2f05
SHA1 92700cc0836a7b06854614f615b3ee0e9f1619a6
SHA256 376ec424a2bd48bf4af59516664b1b5fbd3442405f84673154748a675340d3b4
SHA512 551e3e1488abc4fe9e1b1d880ff0c52527dded084c4dc918571acca728cbc9e66cd99f168f7772719d5d9ccfbaa23eb25965997fc83c5c988f2f5dbaffa072cd

C:\Users\Admin\AppData\Local\Temp\mycIckcE.bat

MD5 ef45c8bd96b2c9b025191291cd0e74da
SHA1 10d0d6d2a647f8a51ddc28310bb5b92d1d037cb8
SHA256 d984a49df929f78edf0bc63e9d39f46546f37a64459abe89039b325d30169084
SHA512 627577b37fad782a11ff877642fafeb852322cf0037eba511a30c21f0596e056b198993c4c808e5bc376c95bafdde214e09e6c4ffe5584d8fa600a13db542d2b

C:\Users\Admin\AppData\Local\Temp\PgEEYQgE.bat

MD5 789c30b80187daa1c08fc15fbade06d2
SHA1 955a4f6d75d22a1cc9f3a670a12dc5064da80c4f
SHA256 aeb6ccc7ad9dbac0eaeb03ece8134203e5e1af1f328124acd96b17c028dff49e
SHA512 abdec87cd43299c5c0ac79b3df811156cb0ace63c61b672429ba043480a5809e6b941ca11d1bfb23fb9e9c7f57826f3820d051490ba1ae13bb0451f3d95af6ca

C:\Users\Admin\AppData\Local\Temp\PsUEEksE.bat

MD5 c8da657f353485db49ba2e298831304e
SHA1 80623ae28e3e5d239ceae254da3b63011cd5c79b
SHA256 a239c249f1bd0ccac8027d25afb5cd548054ab44252f6419abf9aff21392d4d3
SHA512 c2e97a49707a68b9ae2abe44c3236a3c88e8dfd6326c9e88bd28dd72d05907512184ef93ab7373f728fdb9bb45e8493693db7f8f0d0200204e8bb8ef14791cb3

C:\Users\Admin\AppData\Local\Temp\vcUAsMAc.bat

MD5 a7cc7d6eb92050a7cfbb73ca7d0a3102
SHA1 0bb507cf3514c0af927fa2ea3baaeeefea382e1e
SHA256 2767bc6a9d6ec358a611c254bf8d03912bede98890be77a850c7d5a43ae0b009
SHA512 1259e7c2dba7e48ce9b4d14e569caecf5f5f9d0b207dcfd3d3beaba7d821c7ab7bb7221c1910ef2949c95c7ea6478ca02aa2b7d0de8cc0db6fca537514b98836

C:\Users\Admin\AppData\Local\Temp\fsYggIEE.bat

MD5 26d72473135c5795944fd0e0549e9cdd
SHA1 86d01fcedf705b14415651f51fec5b59a0e6d5fe
SHA256 4756149d8cb60f1e59ca00f57c8f5f077af54d944d9be237ac21bf0543d28154
SHA512 75ed9f174116bfcc0fd7566d28f06002531b37dfbccdfe8d7867ed912be7412050a5ad7a070e16ef75bd6aaa0cd603eef0040c6fa805c072c6a0aeb76d73a29e

C:\Users\Admin\AppData\Local\Temp\gWckAogY.bat

MD5 c1935dfa9b13395fb92ab6b652b9fdaf
SHA1 95f7beac0554f4fd67a8714b7aeef826d6da64b4
SHA256 a8f2328d205d2dd428f8e9b0d6f82439fef187c3a4e5619cd7b2a521d86fa8d9
SHA512 8e96ba6c2af905c9c5d9fb318b92bf0de062a34f64c6d5e97c92cdff5b101226b0572ee29b018504065415294059dee9b3045561f1a0cea6a9366bd62d2747ee

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 8be7e44d9b4d0eb2cb2cadd04aa5c7cc
SHA1 9f3ec03b08c7b41304bc53656461964380a63f4d
SHA256 79fa8db610e99bf89f53fcb06b1e5210d0ff7791d6d2920022b01e9a9b87a4d0
SHA512 7d55ce7452082c41bf234b74cea8a9447906b7ae56db9440039c38d0b0c8cc94c1c39258326b142a9847fb387d4ea97999335ded0d7bcfb9a515977733994d40

C:\Users\Admin\AppData\Local\Temp\WQcu.exe

MD5 8b8c6c661a06a12b80f1c6552d604d95
SHA1 7fec04e47cab36ccf4882a94da1de439e87f92ac
SHA256 1a1b5e97677845e053b464be9bd2f998183ada6489afb30731f82f6d248ed5b4
SHA512 94bb0824a73332bcb0010384bd6b93a5eecc0a89f60dbf1c09adf5ba9079af1a4893595bb7830f42f77d81b483ecfb1227c2cd1cb02bcdc4380bf5a00442c19f

C:\Users\Admin\AppData\Local\Temp\iwogIYgE.bat

MD5 f7bd998cedacf675b9b03686b885fd3e
SHA1 9e339c6c69f6e2dfb5e959ee1e5e6ea17f5578bd
SHA256 72bbb4eda6d2f8ac73d85266c69300e3391287d984b133d8f52e84092e57bf67
SHA512 b38327498f8605fd344de4efa86777b29c34b8b9c2c3705fec46a1935f6b2cfc3b88f591dfc4e4fb17edf720840b036162c4e978a522a481688f97baf984604c

C:\Users\Admin\AppData\Local\Temp\aIUgYQcs.bat

MD5 50d6c2885e114b3fc3bfd0107d898702
SHA1 ca7b888cf0f64a0a0904de79224a8c5291d96431
SHA256 7883d54b82d444e01c8f6022e4fb6305821d7f00337a98519f9586651137a9cd
SHA512 f073fd83408d5a15044e58684a02904d0744b8fcebe9e6e73b787d1b5926ae43b8547f575fcea7483a17dedecd5e51a3adfd236918dc9bd60d2cbea5e2393ed8

C:\Users\Admin\AppData\Local\Temp\wUUccAMw.bat

MD5 872ce95191f481471f89630c94494b05
SHA1 a0bc19ad74dc915eda74d0042c653a5aa83cbc14
SHA256 4f1a1ff282fe8a0cd8d45f4f969214c932145f9e679d3b4e3bb60594022bbd82
SHA512 3bae644f80f4c83b7d9e10899a819b9c8c78d2c8b9e126491a2a61a50570c2546fc531dae2ba1c3ab286a22bdc694494413c326be387baaba2859f0b2bb35a5e

C:\Users\Admin\AppData\Local\Temp\HGIQwAUA.bat

MD5 a2a6aaeb50f1d03586999c272041ae3f
SHA1 7a94b95da07bb2ab0dd1c9dbea2517b041d5ed02
SHA256 710e016b113d24dd73d02f047f956b9c885048771a637b76972807f849df2f32
SHA512 5d7cdedbebba4bcc206b2e79958c53c428bfd69ba0b1637fc838f821a4656aa96d9a3ec1bd16eb9fc77ee56231d5e0c225346ebc7e98c526e3223fc72fc7959e

C:\Users\Admin\AppData\Local\Temp\jCwMoYIk.bat

MD5 26ff2ced0213e56a69f2fea9cb0e1de3
SHA1 7a40ec3ec9bdc71e16116de449b8408f32571142
SHA256 d0fc779a0bf3f6e3fa5443a2a38931614cb82efe0daa5e08954efd3443440eed
SHA512 b33779368ad629c7b59b31733f38b4f26b19c58597802337a0e60eca0c6d3b9b425d9320b010ce3e1bd9f1ed6d61b9619956ee763237d58db649ba9b4321677c

C:\Users\Admin\AppData\Local\Temp\lUcEQYwo.bat

MD5 f2cefbc4d8cfda9d2f845ac7436d8726
SHA1 d666d1e6d4cea6113072f16df85c6ddba58ac868
SHA256 23202f86a98ba703968b42f477b412ddfa55bad5d5706b87a279818ab8f12055
SHA512 1f801930e059d46cc08f465a860bd109f0f346eaa514f619eea58df49de060fa861bbb06e637119e00b8520b97686064011e27abb5fcda4bd9a9455ec04c4d17

C:\Users\Admin\AppData\Local\Temp\VqYYokgQ.bat

MD5 4da787f3d7e7b3012e02395ee996c552
SHA1 49d33f55262dd12fe02ff31e8ad007fa59d86c2a
SHA256 e1ab540cb67fe0ec988ed84d87db0e72251884b049a78baaf73cc5f45b1460e7
SHA512 5103cb31fed1348496c1fb6afd3f7a32df2e8e9cf50dc326c8c995e7e713db9d753797f7eca323e79ca5c01d90d0867534935962353847c99ea2ef66b66f77e7

C:\Users\Admin\AppData\Local\Temp\joQQsAsU.bat

MD5 154d36fe9677b65742e68c04cff1dc47
SHA1 09ef25081206c0bfdb3289533b338257fc696af4
SHA256 3f89d286068cec791e17f08037bce0507f03f81fbcec19e44c8b772109a33d74
SHA512 75d86c0e7de228c93c3b8f0b741323b61aae49838af458202d75e2c6215c4681224cb54ba3464601e827880ef91273ebd753eed9af1ede25937eff01266ddac2

memory/692-916-0x0000000000700000-0x0000000000716000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EYAsAsgY.bat

MD5 87d6c360a70a286a4ecef673166433f1
SHA1 42486a656ebbd706efdaa4f7bb694b3954b5cd00
SHA256 694ea835c22d355af9672e7432663953459b0fbb8132b8e1aaeda3fb58dcfe40
SHA512 c6d6ba68ee91e355619f32d953935d5c8daaa7553ecd93da0e00f023f46479ad3a81d69a7f0c3e3af10bd9ab3eb06a4c042afc4ec046f9fbff371fd85ca3c78f

C:\Users\Admin\AppData\Local\Temp\oygEwkUE.bat

MD5 926af3c89a4e0600d7059874bb0d71ea
SHA1 2a4984ffe7799642d685a3ecf433ee2c1e284e41
SHA256 3d339c6443acc28455a04418ec562eb777f425c8c09b1fc7694edc82e8d8323b
SHA512 483fdc6e68d4ea5540de7a5bb236584457eee388436cbcf8b699cd007f3be77965ccda95caccc8ffec16acd4fcb2f6e16da6e60837ffc7f32e7cf4588e446d6f

C:\Users\Admin\AppData\Local\Temp\SEAwQcEQ.bat

MD5 86c889eef481bc4d5bb89ffe604bd038
SHA1 00f0a7f79fdf84aa3419924b8eb6b76301f7a6f8
SHA256 64b08b3b73bf9d41fc33da8dd2216d2641a738b50b7596de4900ecea6c628e5d
SHA512 7168c0209e1530e860427ea18ab661f67fb9bbfdb15da93aff9c333b9496529b953dd1957a3caee280bc55574d20c3a11d68599a17fd0ba61a6ff709f2f3ae9d

C:\Users\Admin\AppData\Local\Temp\cOogUIoM.bat

MD5 95b8caa30c8fc5614dfa885f2b1e2f47
SHA1 b932ab24db03d722bac1fb8c3358386f3184a26e
SHA256 dab8d94752ffe1d0130b9061212787b7d67c31e9e8b3cd090c9a4f4c6e62b47c
SHA512 e249bc756a6150be4ff0fb571f81e83a1948e5286589446455b4cc7b5fbb184b672d7f999e8f8e6e345abd2ff0a6d5583e191b5cce77ff1312b8d72cc6ae4112

C:\Users\Admin\AppData\Local\Temp\tmMYgQso.bat

MD5 b6bf20177ad2081405b6bf914243b3a4
SHA1 03334f490ae7f1a4aa486dc439ef0b5c268f503b
SHA256 9e7fcc84eddf00b89f364efa207b2cf95b57b3845132cf00dab4888fcbbd042f
SHA512 e32d7ae56e1ce9e492880dd20af4ff5ca6bb3e09a7a909884c5fb04dc5d482927432f3dd32d161d6d9e0c9ecba1a212e01fba488bdf56fad9aa9e8a1f74c6d35

C:\Users\Admin\AppData\Local\Temp\BWsEkIoo.bat

MD5 dd15a703c3dfa690a3871a6508d2ae87
SHA1 921b3b8da15a63286ebef3d14685b1167be7f824
SHA256 343b3e6c520c14c33feebea30a1c2be6fae25d965aa03df9e088d4c636f93d1f
SHA512 870435433e2af6ebaf80ff13311c5105c6130c01efe62014f3138a15d73650834cbdbb655d435a4cf48c00e9acd71387b2022bcbd67d18ce9da6c23f2e23eab9

C:\Users\Admin\AppData\Local\Temp\vCcAUcgU.bat

MD5 b7e808af26e06ec7cca5572bc27c2c2e
SHA1 a770661327ec550008592a15eb9df2b616ab29ab
SHA256 fe52507586906fee2884a65d9fc4777ccf664f8717178c6961735a5b479caf08
SHA512 6d355714dc6719001aff61a360716aa5ac39cc693064895fc6e4979ef85da30ef612a06eb891d905052856fb7d1e93a55745ab0a0ae5ce059f241c3918f32a02

C:\Users\Admin\AppData\Local\Temp\fwokQgwA.bat

MD5 c90c93ec623713028d0cbf53a627cbad
SHA1 499af90ca38719776c8224fe138ba406cee6cb72
SHA256 1ef1f8298e5225968440d39677a02d8390c578148c26eba8c7cf9386376d06b3
SHA512 55de567a8fdc286d4e8204055fe15d84ee6d611cacd0ad7c292d71959c484b3eaf34b8379a97d6df0805ef70bfdb313ca547cc1b5c1d6a3f634e77328f753d05

C:\Users\Admin\AppData\Local\Temp\QsMgkAYw.bat

MD5 62ad1bbfddc7f3a0b6260359ec4f4886
SHA1 1877ea65284edbe265552da74cde215ead92e74f
SHA256 80db47fe177a2814ef778ff9b8cebead340bfbaf6188eb2b6b793e96703f343f
SHA512 452d07c93c0a30593ec8f150723fd3266e396827470a7adc467f0b0e062ae8bd93494e550699086f64fba80d1e6ba6adb52e7da0780c9ff7a0c31d819f31454d

C:\Users\Admin\AppData\Local\Temp\AqAkMQcs.bat

MD5 adcd6c948475005f6095e81e8f1793f3
SHA1 441220002eb3af5e5a416c26ec3ad347bd92b193
SHA256 57eda940aa88b3bb883866dfe41512d8d0ff24656abf47fce1a52fe711d5c5f4
SHA512 e9169cd777bb826480873c98034924ccd3f9f5c320e61827cca1358d58f9c0796e6d08e57ad4e9b2c236a6e59bb5bbac85363fc24858e3cf2e5ae438f132643c

C:\Users\Admin\AppData\Local\Temp\KkkUkMcM.bat

MD5 ce57ce0123265ffd5ec45552ef259e9b
SHA1 d379a05947606c7c7e119de3bde1893a84b0003b
SHA256 0ef8d35a47f8632623610a33bc56c92bc4a0441a8de17844fab2ab35ac91b1e1
SHA512 0f503840503d9d20e2f8a71390980bdc57c3dcb40eff545e174272020c3db4b901ab31c504d90156145627d7e017cd5c48245a09e30ba392b7ea24876d2ba87a

C:\Users\Admin\AppData\Local\Temp\iyIosMAI.bat

MD5 c3c7a2814f68f64e519da50b4fc8292f
SHA1 75a0d266553daf3b8870b86acf9746a0e402ec99
SHA256 601331bb48a2c1e8872e05d9b64f668f8c7df6487ecec314def5b96eba8848f8
SHA512 b20505c6e6f8bd44165443905edef709be233d3c9bc1a870b3e195fe4ae241359b375f9bb152a11ef626ff0ef532e7b78bf6642f31dd3479823ba2594e83bff9

C:\Users\Admin\AppData\Local\Temp\bicEwIso.bat

MD5 1e900c9d573a19d226555e0af67e2470
SHA1 159e3729bb2aa0428c61bd9392bf7f2043470c17
SHA256 909becdb6941f78f42d965cb5f7d39b17091236da0277a7e97345015c6b24eb6
SHA512 bae8c1925330d0219a87f2d17ccba5d84ae764a1d3e42198fcf7c13ffdfabd2685535b14ccce0e4220ffbe6b4b25c19d74fcc0b31dd1dcce750124002695ccd7

C:\Users\Admin\AppData\Local\Temp\XQogYwIM.bat

MD5 bfc66a0476261af6a8e7082ead70d11c
SHA1 8d590ef881f9b2d950890b7f31f87cf9a1f848fb
SHA256 99727484f6592d8d765857d52ed25205515792cf6397dafea2dcab90546dc2ab
SHA512 1f308f49caf817385ec011f8fd87153ab560e1048ff5085e55374b94f856ed21ebe23d56af5d6d0ebc1083c14e4e2df5299a7d720ff4564298f1f6689e2b90e2

C:\Users\Admin\AppData\Local\Temp\eEci.exe

MD5 104c0fa60da746bf936f82bd9ea47116
SHA1 f2fcbd98d4362059431d56f3fec83dd9dd9b5594
SHA256 a51d769e6ee8f4f8390eefd15c4e5d42fa43c44372bacc2448c6dfdafe04a2c3
SHA512 369387999cee0ea7b437a069ba2a2fa30c07bf6934a1e9f2b375ff89ac1eb74e5d4d6281ecd30d785ab4b16cb81f179b6f0dc221888eab01489ed33990c94e2a

C:\Users\Admin\AppData\Local\Temp\yQgs.exe

MD5 53bf1790e34bcf89166e4e1e9c9715f7
SHA1 bab90869680648c137e93b6c11bbbecefcd7a734
SHA256 2ddd9fe7fa9d5667a7c27a06a39cdc4cb845b643b7c961ace430436098e85b71
SHA512 ae8b36a5107a659ac6cd935ff6094be14999bb93b15d29d4dbc70d42ac5193c51ce86446cf54b7e790bd7b157f7f345a5673667c900fa07865fd30d39164de18

C:\Users\Admin\AppData\Local\Temp\WAwG.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\qYws.exe

MD5 d66832955a443a66003e0b7a56161c9d
SHA1 88b1cfe423247054872ab9e5bd70a94dd4177a23
SHA256 8fd8ec56d6385c91996f0a08d5d6f794e8b23468f70167da1b0f28fd092706b1
SHA512 01e5aac7709438b1f4480bc121ca4d5a99ab51793cafc9575ffa54283ef96e4726f2a1805da4f0f935d337f10ae45b06b4d216e838297f5e631b7fdf6a35c573

C:\Users\Admin\AppData\Local\Temp\cwgm.exe

MD5 eabb0727c238042167522b336e1516ff
SHA1 95124348c32f1b8b0e72b9b1f6e5d0891e7ae463
SHA256 4770e87edf95f1f8fdc41a4a7018a4cd75f27fd890f50f98112a8c17f381c3bf
SHA512 586627d84215dd3d909d585cf1a8abce59cd7a47fddc95c138db8129fc64c0e20a0795396c86bef3302005dc31eba0c8898d3a4db6a09dbdc039f0bf35280292

C:\Users\Admin\AppData\Local\Temp\XqUEcAgU.bat

MD5 f374d636f71c06c726a3b6cc0f769a98
SHA1 252b69231dcef0cb870e1df93435ba14444d96f1
SHA256 915eaefc3266b463751a91b41aadd57885a36c6e1644eb538d76b0ffbddf0a13
SHA512 9ae835404e60330d7a00557da74c16577e35ec4478737a089ac5cb6f89004f916dd73462e30f45bfeea3f37d4939ca489cecb429c61d58a564b5defd9c52e75d

C:\Users\Admin\AppData\Local\Temp\WAUC.exe

MD5 850d7e0e456b853e4348896403e3a017
SHA1 c981980f36f2c5807dc050e0ca97c252a3b36d8c
SHA256 963e1a75cd946ac784b54d67948bedcbffd2bd1fffa44267c94382407772e397
SHA512 ea08e63d537840248d7d1bacd8bcd99cf0ea5239f6304c8a72a54637acf6b2934d8ab3991fe984e48ebc12d89e3ffefd6e6428ca1c2bed364280752f8dc0a53d

C:\Users\Admin\AppData\Local\Temp\msge.exe

MD5 739bb0bbef43fbadab0678433e4a1347
SHA1 2a9785c1a93cbd6dada3c5a2606bd93b3608df2a
SHA256 0803f0bd3f93f7a27b74750f6397db773e107c2a7d58de41c7bbc63bd32785d2
SHA512 d333d5009faa4af3655d9adebfe98fc3186875ec84ddae65e7d12d3998a4eb4bb8eaef26dfe1102dee220b023fc7fb76a8a3e2f6c9df4e88d07c123d4145e452

C:\Users\Admin\AppData\Local\Temp\cUMQ.exe

MD5 695df467fe570cac4e3f700a2b72e4eb
SHA1 de7075b766bab201edace9dfc77b340c07106204
SHA256 a4729ef3e5acba40bf743641cc3571352c1752e9043a837d40c9ce96b18e8bf5
SHA512 03055eadfcbffcabaac2e8d297317e29052bc5e6f6708887c545fa93201237e4a05103373bf299a91281e1c921218a7f53df7bdbf4c5852c3e774ece9a1fec62

C:\Users\Admin\AppData\Local\Temp\QkwE.exe

MD5 4ee9b5715d5b2aeb82d16994a8833402
SHA1 2e6c8023ddde4f06942abadf8cec882185f5bd7c
SHA256 b9215972e0c276c9ca8ec65eb9df3605488d72b67d369a3b0f80a74ecce8204a
SHA512 526160d1068eb30cc99938e7f55a4d7db1489d52704f1bb4d836d25a3ee010b8afb974fb64ef6c63ee7041bc7d352250d1377a3cf6cc2734340100b903ba5198

C:\Users\Admin\AppData\Local\Temp\aMks.exe

MD5 1d5c07c10b332ab0f9560c848ce9e6ad
SHA1 7dedef96e13d7e4b549d1100734e1a8da75e75f0
SHA256 93bf56b0d45b5fe192d21e886d913f7cea8b02cee7e5516f6ed4e76a59874c3c
SHA512 9c330cc0afe73af41ce99de1de9b0d9eb86bff8739b3fd96ba415e22ab00ab7af4e93ffbdd5653e67ea7fcb1d5d02ef3d188b5c92d6af1cc19218c7b4a2ec5f1

C:\Users\Admin\AppData\Local\Temp\VyIMgMYY.bat

MD5 3bd050c30d3017f6633cecdf3f21c725
SHA1 f6c964388c0e3180f81f32b088eb52ce54e98688
SHA256 93153142d71c942eb3e310e10c7bc8f4df6649aae168d7b1925a9587d95aa1fa
SHA512 2db9febc5c23769925e806c506a20fd20213c4c4ea3ba5700ff9b87a8135632551248ff1030eec0af52e89e234eb595c086d71146432521b535d36e1f43c559f

C:\Users\Admin\AppData\Local\Temp\Aokm.exe

MD5 85abc9723ee4a27d5c84991f4318ac94
SHA1 b690eb4fa3d104a313e50c6c93dde2efdfbbae9f
SHA256 2c25e5b02261bc1cbfca8fe2d9b71b11a7a3112d130322a82452414d7ecac1e4
SHA512 43d23d8840e78a74cf2e60b15e27f0956f64cadc34fb8c0e7308f77c6b20e3c043e294417a0b291464a33d75819bf0863de5bb314eab04af0d3c23c3dbc8c5a3

C:\Users\Admin\AppData\Local\Temp\qYku.exe

MD5 cb8c061867bd9a1c3f05e032eefce241
SHA1 2985b88613d46cfb355fe4b2455803d21b629670
SHA256 2fd7ef7a5730df41aee36490dce582ef4a36ada8a5a1af663185c8d5e0bb882d
SHA512 b798b88250f3a0f014261c9a3176ed958e981f7eb36ac740921e4e9721cac00aff1f8be1765379274f8acf28a74d87410b12c002bb1418c61860c3428aba1171

C:\Users\Admin\AppData\Local\Temp\IcAc.exe

MD5 7297191b48aa683235822b209198a1bd
SHA1 662ccf6856bf9de14e5fac0f5a0a2d9b15ada7e4
SHA256 64dfea6f63684262be88d6b0ad738d39a3bf618f1a772cf6f46e1cb2cd74fa5c
SHA512 7201ecc927f03e1a9f11e811278fb26be2e60ba34c50989593870f092d0f1922a77fdf2f5a5221d737181c04faad6b5345d02a505c83d4b28fdadbebbde83f3b

C:\Users\Admin\AppData\Local\Temp\kQYW.exe

MD5 f82b3a5e15389b4fb7584bc2ee4a268c
SHA1 fab56d3ff96acef0ff462cd1d80ad17a04960ee2
SHA256 562c851167564f8971df34d64b18810b977b79a8c930917ad421d20c053a2087
SHA512 4f910c9aad83fb17af0c0227bbefdab9a27e16f746b5018f54d438f6dfee815f862098debf8d08cda4072c102c145af97d2464a1f2b06b411097b14a874af83e

C:\Users\Admin\AppData\Local\Temp\WcQY.exe

MD5 bb96decd2a1d97815eeb4f7ad920bab5
SHA1 2268cd5456c41eab36c05c0593f536b390ecfb85
SHA256 50fe2990ca50b9ea806db0c11d34e5a53030c540712e86beabf36bf62e10eff7
SHA512 4fabe0945fb0b88a2b459fcc4a904eb9508ae24f17b890cba9cf77bbe7fd33d46ed734f3470d0badf96c1b518a026cec8a9175bbdbd8290cad903b65d4372279

C:\Users\Admin\AppData\Local\Temp\mkcYcIUY.bat

MD5 61de5165370d4d4e7d324ae589206307
SHA1 d4c796ecf251e55efc4f8b27fbdd350886f0a63f
SHA256 ed8bb740aa0b21646264a5a3da2b144f0525d40bc619137b22b73253d139aa93
SHA512 b04061f253d3492ecaee1f57a3c7c47ec424fd80c4e0cbbad4bc6b396b3ff9bc701540a46784695e04baa79f81c81396e5626cf1c32139cb269e22e52eca2270

C:\Users\Admin\AppData\Local\Temp\ogwG.exe

MD5 8c716134e82cc4405fa613a5552ddf54
SHA1 b3e29be43f3dec3887ca676f08baae3c50fab216
SHA256 742c8f41ca9c16e2648b07eb259377a1d40fb8986e607bd01609d475e7631b9e
SHA512 a2e6dfcd715db4af55230e1e6d5f07ebe964848936440de3d7d6b6245c8ed9d11519acbf981c7fb25c4c7edf9f9224f73df8efb6a9175846708b4be9a36e7c3c

C:\Users\Admin\AppData\Local\Temp\aksK.exe

MD5 d9e9cba70d4a5d8df6fe799455f7c550
SHA1 f9da1f46d69b1fc406d7f78d75d7ea9a01b48a70
SHA256 787bf52ff9788f11a7894129dce50ea83a6bdc755d0baf72aa9a3e6de56588b5
SHA512 db857d8160a4ab8f90cc1cba02f57e50ccd4b44ad874570235f871722070a2e6e0370f3df4d3d7e4c14f4f59a4253b2e2e6768c4b6588b3f85654b85c4d6e04b

C:\Users\Admin\AppData\Local\Temp\cksy.exe

MD5 b6b0eeb7ef70e3af583ae30d00d8b5b4
SHA1 1a477b1aef9fab635512b134b596f32ac6d182f9
SHA256 b521197307a602c65478adec0accea0348873b3534b319898fb48831496ab00c
SHA512 e8e7589445db50c00e9a90488dfc98082b0c73ce7c8f277af6f6cdbfc79b4edb5576c5f81b57bbf34e7297dd6f5b6c4724d4bd3c65900395ee7db7f25fa028fb

C:\Users\Admin\AppData\Local\Temp\Cocq.exe

MD5 b6952fd886d96abd51d774cb4283649e
SHA1 8655f81cb90ef0cd1fdd04bd0cbbcbd67d1f59c4
SHA256 56336eec191a16ce9cb3f78f118b5fd2d8ef78b8eabf130cd89e37dd34af4df7
SHA512 898c96f2828097f1141a0f3755d11f026c36803ab9fc49435603aaaa16cf1d0b8eee0d136f9879c7b8c39d91556d4969ddbb05af91093f273676d539579162ad

C:\Users\Admin\AppData\Local\Temp\kYAkQAoM.bat

MD5 bdfe7e3b4c3f7e9284040ec52e3fa337
SHA1 f54efd5266856f6b8b5c5cf72fabf5e176e73b85
SHA256 ad474b406c453f5eac2ec94c4a9a72136b8bb4cba65706164fcb6437d8fec108
SHA512 e1658912350b4ec9f11b485fdf38d8e7d96df8337b0c3a76439b5d9f26b2de5c3af10a3b31e7851dc6bb272b2aba6137dcc227cc187ce34ab34b0e36c1e716cf

C:\Users\Admin\AppData\Local\Temp\qoEy.exe

MD5 6433d58d616b088a7b5100d14d641191
SHA1 9ef54bc851331dc64efff8cc81564018eab9ce6d
SHA256 3f410a4518aa887bf9386a98f295f0ea34e0087e193a22a9b361620b05d367e6
SHA512 49f1cff4d56e27237028956fb152d56b9d30f6b882cb782a9c95abddc07333c6172797c313873bbca20b26a201542ec97948abc59cf42df12b9f385076ec43db

C:\Users\Admin\AppData\Local\Temp\aMko.exe

MD5 ad40aaf939fa7b69e2a1edea0b8d8ae1
SHA1 a4b6bb80e98e935560b49a657247aebb04df46e2
SHA256 ad0d5d153e0000f5533337b2a77a4bcc129e150abc77332d3af4c54e9add7e95
SHA512 3771ce2ee87dfcbd076725b37498b7c67b5741e8c282dd036dac12d52c0851d78db6e75c841d4863113cd6aa1915f86345e5f3a4f31d6414db4e408778a94999

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

MD5 ade5de1588e84a28fea6e6d855c04c24
SHA1 850f3f1c591b466d99acd30fb47d820f70e1cd3c
SHA256 46ce75f9ad35c692623e082edda854e752e22a4f3b4eab2215d830076cc321ee
SHA512 8fe73cf6b730e36d4bf4bff85a8f322ccd269d19d162e7960755356ef60da54a3f28aefe3fe7d87e2c04d0052042b9f1ed625fb26061e5a82ad08de1510955e7

C:\Users\Admin\AppData\Local\Temp\QIom.exe

MD5 2c45f7a6df7cb8748b7b8014a09c4820
SHA1 aea182983b44dbd6b59c4c7eaa77b3d52e152a5f
SHA256 cba7167f278a6a2fb4cd9c406ea1b2f51ad1b54557457eaedbc57dde298be248
SHA512 57e1dce1ec53f5839d4716e78ef196b5a761cded5dd93b74a22e1ab2eb91665053777cde8e84c3fc881fb1baabcab816726080b2c6789579e0d80213797fbeac

C:\Users\Admin\AppData\Local\Temp\OicoAAkE.bat

MD5 34f101951fd244ba96bf88f25ce550e4
SHA1 9bd27d8559e793f809add4ab59e21bdad6ce62da
SHA256 d58c4def6cd2af1cb0807ddf02efd69537c56eb41c8260ea46a56c877a55c97d
SHA512 ebd2e91870e181fc35610b9e46b58c1717e838b15df07c54ffb961f3e9d5e112422fb5f18b98e5e25915c85b44c481f9bac3eda36f1ab82be5cdfb2996d78eb2

C:\Users\Admin\AppData\Local\Temp\MoAS.exe

MD5 56b3b47462acba09c740c2eec941249d
SHA1 3b1afec55fcbb20381bfd6ca35ee1a6006c4f30a
SHA256 4e9b8c1b0e144333a7ef71bdddb31e726639c33638973143d4eef2d7ff92fde3
SHA512 24875553e42bd815f65c05169125fd46fa43fa03ae84858e59f6f5f54ef04b57bd0caf58d83a93802b89810c51d10d2c5ccab2675a787084ade096c341cc435e

C:\Users\Admin\AppData\Local\Temp\mEou.exe

MD5 2f69f3fbddf29577aba550a74bebf46a
SHA1 a90116a3ba42a2092f2fdb598df25a327c598400
SHA256 0d35634420eec3690a43fd61d07b868766d8b8b0fd51067627f3af74d9aed4db
SHA512 3206bcbdd5acb1349c01d3b304ab86cc932efe49fd01ce0e212d92b6f6e2c746322067bfaa11b29186882153450be37fa838391783afdb3137ec74393f93afa5

C:\Users\Admin\AppData\Local\Temp\WMYS.exe

MD5 53f26ae368cba6f48c4dfdb4c166d5e8
SHA1 355001584a2bbbd1a553f72e8e6ca20f830183dc
SHA256 d7849574f9aab8668204857e8947f8988d446cb995b004a19d518152a1c73036
SHA512 70d02494af20d417c3e948b7f9f3e1f5b2d9b48a71025d3d7db4e48d7ca06d5225832fe63e5912810ece50fee25723cffffbac7b76d76d60788a5860bc7333cc

C:\Users\Admin\AppData\Local\Temp\OIEa.exe

MD5 eb6f9ebc5781abff0975134631a9bff6
SHA1 55cd589f7d5393e54bfda47c8bfa979a719ab732
SHA256 e12d7604e5f98806eb5b4875c07c577b4f72b10eec538f78cc2af004a1b0b7cf
SHA512 ebcad74598d9c43483eaee9af4fb10f84e508860d1a649e156baaab84162bf87e94cf59901fa398efee1d07fe166d5317d0474562f1edf40e6c48e3ff55ce456

C:\Users\Admin\AppData\Local\Temp\IAMc.exe

MD5 639fae74f8f599025eb2a698e7ac1cf4
SHA1 0e3c24ee293ae5339286e1b35ec1e0146761d6da
SHA256 79c1bafa7eedd9eaf572f9f3bc162f61e025532b7fbd5562580b31e699f3dc61
SHA512 cd79fd630df4b72d1ffb959fd5c791aa9d2258f15f145cdb02743df0bbab3a13fae4b4deae8a715c352bdf1b20825d5274a94bb4518b7412fda45bd3ede695b4

C:\Users\Admin\AppData\Local\Temp\GAkG.exe

MD5 2c83b7aacd0d52f97729b05167216247
SHA1 1cd71b73c01e749738180e760298a5c32221de91
SHA256 c7e319cba1274c564bdc3e2e19c6fa0d6c17129f158c8f02fe9c8e97c084cc97
SHA512 15e3ec8b3cedb7f9c232e49b48bceb3b9057cc9c276eb497dc8a1dffee124278bde426aeb9c2691f40859a0d07ed69d72b1593b5106236998ef16c670fd95698

C:\Users\Admin\AppData\Local\Temp\aEIu.exe

MD5 1c5ccb85aa7cea156ddece4f88158d7f
SHA1 f551f98f879be0f3cc06438caa33fa83f6a4ce22
SHA256 c6c9b2cb9914a4b34513f3ba7f8d332f653c355e4c21413a772806911d86e32c
SHA512 f82351f9935a559e319fda5cb5b09aed1df261deb1660e28227329fd1dead6a67edb85e8977191a6b774bb6d1851d1f9304be826acfca95aa1144e7618dc7a8a

C:\Users\Admin\AppData\Local\Temp\CUEs.exe

MD5 a3b2256fdeead551dede0cb4aa74b291
SHA1 0004803eac64edbc219cd9d64f09c6e75c518848
SHA256 3efd8ae505161585f13dd82d400c0aac0c3bd1055f24aa0d613cf967f391c4c1
SHA512 eeceddbd27eccd3fb8051bf8aa165a0ef573e35b97d5b530c6b36af56a3b4c61402fd1bf55fabc8697f459031dbb87c9f7485bf1a8ac6a0917be3e3ffd7e50b6

C:\Users\Admin\AppData\Local\Temp\wWgwgIoE.bat

MD5 c85a00f18051ab0460271541cc74e4fd
SHA1 97477f92ee86a1744f92337405c2bfb41adfc65c
SHA256 441545322f8f146942a62e993656965f82caf687e5d91944faa1996725148d91
SHA512 80afb1cd8ea73bdac8b506926f735ccdfde6806a814581addc9657afdad975e0c6baaca334247825dcbe8a6a9e99dec86613eb811bfc30d7a90dd4bef2543ca9

C:\Users\Admin\AppData\Local\Temp\KAwu.exe

MD5 e144421c7c4bb26d49395cf1832e2478
SHA1 05d78ed8dc33af61cc3c05327c52ef79b087a256
SHA256 02165eca8a2d8a08cfefca0c625a7592fdf1cd6a0c46fe5fdb5182c20dddd4b9
SHA512 0497249eaed68eeb82fb1678382fc4050e3ef0bd3208f6ee2130e3ae1935e0baf0e24aceb7af3af852e0a4095cda76a2a2a2616160f6749d73dc529e4f079156

C:\Users\Admin\AppData\Local\Temp\oQsW.exe

MD5 fbb15961a15a7fc8b25d4970016ace65
SHA1 03fa75ed4363fa1dbc15539c6a57a1cd28e977ad
SHA256 a6c2f99aa01af1c4334a1bca50fb62d0324c79e35e9f060699ddfe31ed780078
SHA512 041f5779ff1566f55f19e4251c83443f1499f74b59ac6f3f07e5e96302dee3e4707bb55c7a3515ad0157143a9a01101c7ab121897c090af4165f5f8b3a847e29

C:\Users\Admin\AppData\Local\Temp\coYc.exe

MD5 db20f34dd7500f43048c677d4dd585f0
SHA1 d15cd404ac6ddefbf24e28b2c2a5e87fd2a02427
SHA256 76519c37381428be76e966e72b20da6bd7fdfca46e90a551a844910587bf0fff
SHA512 cbf2901e53579714f94693e4924b2c59a3b4c277b82ab1ab7d24746b0d7979a74ab91956c8216fb44df5573b35799ca34a928a96c79fda612fab713dad7acd0c

C:\Users\Admin\AppData\Local\Temp\Owkc.exe

MD5 47a78bf631a334cbbaf999eafef812ac
SHA1 799ac3c076f170f82b617bcc86901b8f906a4374
SHA256 9317f7a816844d7784782bb1ea096967841b382cd91e7e22c6cbc31cb9c1026a
SHA512 79ac399497bd3da580524ef4439f69b2b4e554b9917ac1653ed15153f0a499e4b9d2a29712b99a71c8df8151a319faf6c1c5b09de185c7b141143495b5f54e27

C:\Users\Admin\AppData\Local\Temp\MMcM.exe

MD5 06a5a4e5527c7f3e2432fff33329ce30
SHA1 afeb2447a9c3c4f58d411455b94d3b09d47f29eb
SHA256 be32649020e8ca1a1660853eaede2c1c09d1f6b70c00149de649d2fe8cf2076c
SHA512 f62d5015ec9393a1eddcc000905c0c6919cbbb185ee8c6a444ce4f83bb931eca46a5e20fd017c9490a35e0f44c3b90430e9624b67d59178084f52a92ce3cf673

C:\Users\Admin\AppData\Local\Temp\SYEM.exe

MD5 01933963b6ae217f6a64e643ae987999
SHA1 185b61aae756cba943cb28590b73f87dc43b6696
SHA256 6b97bc7fa9121d27d2b82fb950196d5b89af6c232a34d864defd8d3267bb5aeb
SHA512 1d9a04512132d07b2349327edcfaad7cbc504a21e2e55c5d1c066774ce94bb34fde8be48cdc8d400afd38388c14c5b4feec247dc9d2fccd0fcf606eae19a3c92

C:\Users\Admin\AppData\Local\Temp\AAsG.exe

MD5 7171f9a4150fe3970f6c7019058363f5
SHA1 5273db21b4830c19cd0fbc71f78f06367ec64d1b
SHA256 1f9156a43aa8f5661f9041e354c47ff0a4195e44c3fa200fc977f7922e7dbba4
SHA512 33a8b888fbf00b65ab2ca13d082629fbde37ebfcdb9ecb232ca3f8e1ea6b5ebf54ce52d6027ca14876faef58859ef8b922df721ac0dc52368b15da62b5f44e36

C:\Users\Admin\AppData\Local\Temp\YEcM.exe

MD5 876f54c242844fe3fa6d76c65e9849bd
SHA1 586334d55536a58a582b237ec984a08762055f48
SHA256 0c9f2b4e01e5c5f82d2c91e93aaef4c447d2282ec266aeb13a04bf50488bc122
SHA512 60716d3a27c213a5641beded7bcf8911d8ce9cd24f695f7f58eff3bfaaa75a55f070ad0ac6f6d70fa52c264fa118a050abd4ccce82ec8e022fc3f2e2b261bd56

C:\Users\Admin\AppData\Local\Temp\UEAK.exe

MD5 26d4cb0929544de97d5f31cc8dd9900c
SHA1 107bc5efb3baae088c774fe6dc5ea2612ed98c33
SHA256 e914d5b77672b226998ec4190c483c5780e874d0c99dcd274ece163ce6bb22dd
SHA512 2161a3e10f0bb2a61118364b1767ed321053543d2af04cd7dfd399a7bedd1b1261d85a4d0cbac2bd0eaf49edd7c1525da638f4d15c1184752615f720df8526eb

C:\Users\Admin\AppData\Local\Temp\sEEu.exe

MD5 a2b9ae1617c9d2f8e0471dd34ef8b81d
SHA1 67229446afe1f0f9ef4ace25879b2927c0f4fec3
SHA256 e20f23eb9a3d77595113fccc6cf1e454ae1f2567494bb16d0958850be60b238a
SHA512 621a83e2fbf36d6dde21260c94c1bd1c420db8a14e74811b9fb32c85b58ef7c969d20a0745f921086569b2f6d280731d3eca91a6d8de262b7b96254bf4248d94

C:\Users\Admin\AppData\Local\Temp\AQcw.exe

MD5 81f32c771f607f04a7d5373c6a6e909e
SHA1 3717723c5c1e2e2e3bfb880e0122d5205593b49d
SHA256 ca5c7d2e3b6bbedda00bc9775b977924c51172bb7e3c24da54c03ad8033d81da
SHA512 fef8d478d20ae374d19d63fefe9efd185c21ea60af3be0ccdee4612bdf2cc5d4e82815003354676528667c0a0b0002550714c0451c08d1aa86b4f427dbf5cab0

C:\Users\Admin\AppData\Local\Temp\jKgYIoQk.bat

MD5 7eb7934d8f6fa215752589904258d331
SHA1 05e91899df27a39b78d8b56fc893114fb498cb26
SHA256 525d52935e9650b3c164fb31edcd89534d99ad16330b0c0a9bf2d0a735e925d6
SHA512 0b1f6cfcf7cae2697edf7e20d3ace6cd555b72b1fe506a67e26363e440db349d2b4bf919f58738791ad18fdcfb855bdfa0c03aac6b4d68ac51e1c891fe01ef65

C:\Users\Admin\AppData\Local\Temp\GksQ.exe

MD5 277005f4dfc147caa8958dd3f3fdf29d
SHA1 071b124beed79add1cb4b568a80dc92ad781c6b7
SHA256 31d499b7541b828f5c5b5a24006b0043382a030d222853cab35b0698bc4d369b
SHA512 340a9a084df9b1a9e79bb458673cd461c6fa8425c63113a7e8de82125f404b4c37ff02e6151ecbcfc25b40c83c1ae5f9d4220cf7575920966d01b80005a8d516

C:\Users\Admin\AppData\Local\Temp\gMYa.exe

MD5 78f26fc7a1a2f2720f1d28666bafa95d
SHA1 2f45b8765132c87044eb41b8c0fc0a360f123a95
SHA256 0d6b05058d86d3afb8c902bbf12c12073f55672882975d31bf9bf91c43f77885
SHA512 8ce959f8053ce91e3ae6505cdf55902861af00e584f74fcdbff2d22539178bbd3dcc3f0cc0c8c3289eca3fdd6f87d8a208cb588a340d70db4109f5dd75bc905f

C:\Users\Admin\AppData\Local\Temp\SYYe.exe

MD5 29fcdc9a9ac2700487212c87d835f5ff
SHA1 c85966f4be39a90112850c1e1141146aa62a24a4
SHA256 b324a3587b3566d52c2e73b9b6331301d66c60c7498857cea4aad5d478192cd1
SHA512 9b0449cd7709ba0b4c0af176543c7c6031cd9d8363c26c4b7df6b9fa2292ad5e9e8f57d391e313b2b5f559e047bebfd1c767b87efc7334c34ddb8adbfa517d2f

C:\Users\Admin\AppData\Local\Temp\zIwUEIYs.bat

MD5 d071e5b78e5187958c894b7d46c06b8e
SHA1 d0fa93f354b2d4cf4178da520b4753c6ace2e2a4
SHA256 b053755d26816fd1b917bc5c6dee2e85a55cd5b5c0fbf1828cee6a50174c04e3
SHA512 6cc1e4e8aeb8ceb79386293df64ad2746833583109a278343741af24dcad4582842eeeca6e1720c3dd402acf57480d4ee1ae86a1706a2b40823ac2f728a84359

C:\Users\Admin\AppData\Local\Temp\gAgs.exe

MD5 76d93c9b1924210fcfe5f6653983c458
SHA1 d848688eb371b240dfbcafc984a421b36e81ae8e
SHA256 16f6fbab4b9737b27c9f0e953c48be2a1d8d809a8f4d2bfb5a72f79d51d783bd
SHA512 de0fc404205d5e64ff73bf7ed48c7fe4a4d10bc1934395480b25ac02e6f980ab516f8937c3b9b71bcc05e47b701114452ca291152603220622346d883ae2f1f2

C:\Users\Admin\AppData\Local\Temp\jOksgIgs.bat

MD5 be82b3ae931517612fa28aa8383ee513
SHA1 5d79aba71f8ce22e7750a6cd5d1d26f8c94641cf
SHA256 588eab969db5efc53aa381d4390c025793158696b3331cb2fb5bbc0a14e9856b
SHA512 9ec1b496d1d1df5049d810f71a0539b39257c20710c5001d3b7dc96710c13b59137f3bbefe5764a2c3309bc0c6ecc42ec429d5b6919c5caf6571d2b1e05761d1

C:\Users\Admin\AppData\Local\Temp\wYYu.exe

MD5 35a0fa8876003b0fb4958ddb6be22b5c
SHA1 ad5d5d41d1a479982ff9c6619094df2677af88fe
SHA256 b0c9b7313aa5cee53276fe51772c2dc2fdfb7c4016336d2e6096320944b93da0
SHA512 b83af392f89f133482e13b2032279f2dfe8557a49299663d7bfeebd709cc84f15e6c7be053dc6787f585bef44127b64d046992cdc7c8b068e7a226ae5a06c82a

C:\Users\Admin\AppData\Local\Temp\gMsQ.exe

MD5 a744c868110ed81cd4b1e74f824b606c
SHA1 aad8df0a17713dd93d50fc02466749a6edf1b508
SHA256 af523b98254f4683f5aff8293c1ce2b5d1546cf41cfa28e54ecc512f639c651b
SHA512 2ff32022e81bb065ac979be1833e58122f039fbf634b4082abc428da03b7539ccafc1b2ce8b84952a1a85beedd947d7134346236f95b2c53f794c9e6de66fc64

C:\Users\Admin\AppData\Local\Temp\qUAu.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\qQYi.exe

MD5 a779823d5a952190ea6cf8fc9f670e1c
SHA1 c597a33c532ddeca1c461be3e952d6419b661822
SHA256 f360aefa99ceb0db4a18eec1b2b370a7616411beda1a8ad926c39d11d280bbae
SHA512 568bd89e803f0d9d261fe30aa9912a6b46c4cab189ecf9e70b146c38d369e8db37b9bb157911eca11457bcb8195f69632ebb1123fc3eda133d421c5ff48e0a4d

C:\Users\Admin\AppData\Local\Temp\aAIe.exe

MD5 ed25be03372355f5d9f35dddb5cb9f5f
SHA1 a98982140b14ffd440cf052c1c98d3701edfb167
SHA256 b532cc8119561ef621ca8f2ca2399c056eaec7595ba88bcb938068f42041944f
SHA512 95edb1384fb6452ac0ad15664de143011c642cd8bd7516622888e13fcce2bae4432343cad9fbae5efce319470126b4ea8e83eab968558f8a914cd4499a1833b5

C:\Users\Admin\AppData\Local\Temp\aYQM.exe

MD5 3add323fb5447cd8f55cc94463b67bc0
SHA1 e701b8f68bfe451f93823a7de917c2c3327ef6f1
SHA256 0bcc7bbf05139f4614b3eec3e53f1eba5398e27222e1399ae48a4d1904e51d8c
SHA512 b0e52186675e16ab4aa3b224001cd41d6d7cb886343539899b301e02ba50b1b73f6dae93405c3f5d31b5e552e944491935c56c60d93a40fda914aa71a946cc00

C:\Users\Admin\AppData\Local\Temp\cwkS.exe

MD5 09f0eee771d3565770bd5fe98b8515dd
SHA1 8a39cbbfc956bb2a7a2f7d170c7ed23c1cc77ee8
SHA256 73380de1ca31087894be28f869dd2c19d75ae155b51f0088ec76f6ab360ccc89
SHA512 cb5d57085d4c97fd702f959536c066fb09e4bdae4c0ecf546af0617b4f41a6f7d49905ec32ca3c5a91c9546967c51f25807f6d9dc40dcb37232cb9767fb88783

C:\Users\Admin\AppData\Local\Temp\sEoE.exe

MD5 0be94a93b5a818c68116321f463ce5e6
SHA1 24feb3b4442b15710923ebc6ede901e821055ce7
SHA256 29ee8900f083a887d70d5c1b845bd19a8e910bfbd15c0d5fbe16ab0c618697ce
SHA512 8439646e55656b0cfa15e0d77c0a8c88b2eeda8167624499d8cd01f997e4bf40838df1e726af0d6dd4e2ddf9f45bae9fd5dec823b0d102e455ed93ddc6f8ce75

C:\Users\Admin\AppData\Local\Temp\IQcY.exe

MD5 606fdd0a5e8d3a0b3a5f31f9cf9d50eb
SHA1 fa408815c9d15c6717024644a38649188452e815
SHA256 612f9aad157ddc6bf9bac6d72f22780a63f90ef4bbeaf6aca311c506b39c36f8
SHA512 663e5305e37a61a65d1485cb697a5e7d00acea724dcd580d2eb2118793b5b3c81313b1200977d7c964fad3a0ff459ee1a156b10ffa3f1bc69ce2e1cddd8d09ec

C:\Users\Admin\AppData\Local\Temp\yQkO.exe

MD5 b350eea0d5d796bda198eb762144eba6
SHA1 c24c4286b3e070e3b49bd55f6ca7771cc19106f2
SHA256 d266a3592934a72f514353f12f6f60cdcbd0834745d723c2b308f649203e0af3
SHA512 c46d9cff36adf93a179911be388d2fc89c2a8fbc4cf9375c3c8f75545528ba29bda46377e636e0ed676a629d7d0ae4d02d6c11ed40c2b48f1b0abab49ae3802f

C:\Users\Admin\AppData\Local\Temp\uwgY.exe

MD5 ae5ed8874f80af16016d2d45989a8d38
SHA1 fe6f0b01ef854214e33ab3b59bd6ece87f0672b9
SHA256 847bba9ca1444c969f0ce7053d2cf15b402fee551518926e0274d6a57c108881
SHA512 b4327243920afe1fcc300e059f0de27057caa225df3327c62cb4b88012008c85f8fe55aee650da78b9bea6a5fcf71c4cd16f897325f6b32c28a98fccda636bd0