Malware Analysis Report

2024-09-23 04:43

Sample ID 240614-bq65mazbmg
Target 903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1
SHA256 903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1
Tags
evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

Threat Level: Known bad

The file 903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1 was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (81) files with added filename extension

Renames multiple (70) files with added filename extension

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:21

Reported

2024-06-14 01:24

Platform

win7-20240508-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (81) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\ProgramData\VOkgcosc\kacgYYMc.exe N/A
N/A N/A C:\ProgramData\YCgYUQMc\QcIMMcUE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\oGooQQkQ.exe = "C:\\Users\\Admin\\smMQMMgc\\oGooQQkQ.exe" C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kacgYYMc.exe = "C:\\ProgramData\\VOkgcosc\\kacgYYMc.exe" C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kacgYYMc.exe = "C:\\ProgramData\\VOkgcosc\\kacgYYMc.exe" C:\ProgramData\VOkgcosc\kacgYYMc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kacgYYMc.exe = "C:\\ProgramData\\VOkgcosc\\kacgYYMc.exe" C:\ProgramData\YCgYUQMc\QcIMMcUE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\oGooQQkQ.exe = "C:\\Users\\Admin\\smMQMMgc\\oGooQQkQ.exe" C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\smMQMMgc\oGooQQkQ C:\ProgramData\YCgYUQMc\QcIMMcUE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\smMQMMgc C:\ProgramData\YCgYUQMc\QcIMMcUE.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A
N/A N/A C:\Users\Admin\smMQMMgc\oGooQQkQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1644 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Users\Admin\smMQMMgc\oGooQQkQ.exe
PID 1644 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Users\Admin\smMQMMgc\oGooQQkQ.exe
PID 1644 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Users\Admin\smMQMMgc\oGooQQkQ.exe
PID 1644 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Users\Admin\smMQMMgc\oGooQQkQ.exe
PID 1644 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\ProgramData\VOkgcosc\kacgYYMc.exe
PID 1644 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\ProgramData\VOkgcosc\kacgYYMc.exe
PID 1644 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\ProgramData\VOkgcosc\kacgYYMc.exe
PID 1644 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\ProgramData\VOkgcosc\kacgYYMc.exe
PID 1644 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe
PID 2624 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe
PID 2624 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe
PID 2624 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe
PID 1644 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe
PID 2740 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe
PID 2740 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe
PID 2740 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe
PID 2720 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2720 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2720 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2720 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2532 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 2532 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 2532 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 2532 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 2532 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 2532 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 2532 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 2532 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 2532 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 2532 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 2532 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 2532 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 2532 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

"C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe"

C:\Users\Admin\smMQMMgc\oGooQQkQ.exe

"C:\Users\Admin\smMQMMgc\oGooQQkQ.exe"

C:\ProgramData\VOkgcosc\kacgYYMc.exe

"C:\ProgramData\VOkgcosc\kacgYYMc.exe"

C:\ProgramData\YCgYUQMc\QcIMMcUE.exe

C:\ProgramData\YCgYUQMc\QcIMMcUE.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KyUcAgsM.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KyAEcUAE.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AgEwYEcE.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UMsQgcos.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pYoYgMso.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PWsAQEIw.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jQgIIkkk.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OWoEMUUs.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "200868165110970804602038805503-933237548-209112098-19664978511668570796-604327841"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sAkswMgE.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SagIUAwU.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "265577954-1742556679-1463803288-882103954785440783-2011937824-12783779821094538704"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HSwskYIM.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HSQMssco.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "97202118360951707-1078534918-1657666429-88825054510162552341463538607-722750610"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tgwUIcsc.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "354868370-521983776-8258094751421832052-1803325430-508709374810804857-797205314"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tWIogYwg.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yAwocYAw.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "443677404-1582148027264997432147458113117314112421215851-898175366428099172"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kIsoUIcA.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EGMkMkAI.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AmIIUQII.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VcEIwkAM.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RKIMYAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LeIQIwgE.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\imEMscUg.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OyowckAw.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1676842602-1128055518-1190154638237503464185390195-2032375862-8104108811846221414"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOAQMMQs.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eKUgUcEI.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tSoEAcwY.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1507830076-598333170-12143144251314007352457878096-9218045421566990374-1051201400"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fgsIYsMk.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1979944787-1940424712-114660391111939704073870967267225945112013613605-520321953"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MIYUIQkc.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MosEQQck.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1302828079-42816674-147559367716666566071743492460113510270019224418361493054440"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eGUIkkAs.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-48486391267543811177937724-263263763-1916786125-1228235642-1883193412-592048406"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Tisswwgc.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vYwMkkkQ.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "41959682-1577901726535950591-103727302-2011717009784669501-298595270-1534705985"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1568945581565446272-2090195158-11702163931722854987-283436420367914618-81413658"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\duYwsUYA.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13264669394228465759208801292064921754-715273662-147015432019066760031702624364"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oWEIkYcY.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "18106452921017718983154097042-102046564635513980519472385171397614145-1741918541"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "994525291763355211699695856392179640-1909897915152656287813092452381152985854"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "746373909-1732778067-20213225281110315592151180290213261518611415060741885620841"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EWUcgQsw.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1877796646-1282623802-257021640-1093283684-206389323110032105202882751701494950738"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "39818785910561218323517026-10903623441613006658-20333324111691183902773290740"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UaEsIAIM.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "94830028617493833011886354977-473689786-142450525513408167623709914032119784612"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tOQcUkMQ.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp

Files

memory/1644-0-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/1644-1-0x0000000000250000-0x0000000000270000-memory.dmp

\Users\Admin\smMQMMgc\oGooQQkQ.exe

MD5 9d58100a4bb1c55730e4e01fdd63f50d
SHA1 452ca42e0e899ee4f665d625f727cc26f4f530b8
SHA256 56690456025cd5a1977ae58be3b19305aa1b9177c3eec8f26f945ec40a27b967
SHA512 a9da2874705de0162181acf00ff18284af1fe4518d992ca3cafb8af9e43fb6783a6ec5e3cb1ce7730e796336eacbf15ca1cbca9a3ce75e980f4523f8e6e01fe8

memory/1644-10-0x0000000004250000-0x0000000004411000-memory.dmp

memory/2036-15-0x0000000000400000-0x00000000005C1000-memory.dmp

memory/1644-14-0x0000000004250000-0x0000000004411000-memory.dmp

\ProgramData\VOkgcosc\kacgYYMc.exe

MD5 402e4461accbc801cc0b473f56377612
SHA1 0ac96fd5c55f354ff2208a0f7c426d3e585397b1
SHA256 2ded9c8d420e1ffeee32406138653f4488d93540b2ce3fd1cbef19046b080dd9
SHA512 40fa66d4c3c0f2415efd1816a1ac68690baa13e003e42830fbaa3d28978978aa051c038f534bb79ecb012d1dc2287ccd48e27f9f1be611da4554a89f090e7dd0

memory/2580-25-0x0000000000400000-0x00000000005C1000-memory.dmp

C:\ProgramData\YCgYUQMc\QcIMMcUE.exe

MD5 79c31e2e139d68c774b9fe01a0854777
SHA1 2b97e4746d4030b9cf42752d0bd56c08bb24d1ae
SHA256 73da2579a3ee2615b0095088fc14e3bb34a28906095da7cb38dea0f34a47e56b
SHA512 35bc344a8bf28fe2ff63ce11e6514df81a919657835628c72e186c569c3726016a4cbf7e546a94b4569898c63392f23c30f2d452e25723a38049eb6bebb918fa

memory/2756-27-0x0000000000400000-0x00000000005C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oUoIoEYw.bat

MD5 5ad62deed4689ad1fa0f6f0471feb1b5
SHA1 aa09698704bc649ffe2f907c6b7d617de3d6f037
SHA256 d6dcdca2b520ae1bcfa3f10fb72c19b81ed5c50c645c499381ee89cfc95e46f9
SHA512 5d142c1a8ef0b658159ab7e412297748bd048fda83344ddf0fb21a4b2ca3e5c808fda3a3e91d81caf9dc66d3feb6d9141cc64d864657f9943451abdcd75aeb98

memory/2532-38-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/2624-37-0x0000000002420000-0x00000000025F6000-memory.dmp

memory/2624-36-0x0000000002420000-0x00000000025F6000-memory.dmp

memory/1644-48-0x0000000000250000-0x0000000000270000-memory.dmp

memory/1644-47-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KyUcAgsM.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\wgwIsoog.bat

MD5 e8d026d935f097803b63801dfc8c05c7
SHA1 ece69d9a3cf9836bd0197d6f4dbeafd6150c16be
SHA256 1f7db47c5be59ed82584eb63a35377d34738f2d7897a6c5fb506dc7615ef9779
SHA512 2e67e2034e345c8d56b3cf10e8f4cda3f597f4e9e4cf1e49fafe26ea667a6dd588352bebfab43b5d142c4c60672e5af8e8b13ee90bc0c781fddbcf27f86812af

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

MD5 070cf6787aa56fbdaa1b2fd98708c34c
SHA1 fb662cbd45033e03f65e0f278f44f4206a3c4293
SHA256 e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f
SHA512 93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

memory/2960-61-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/2740-60-0x00000000023A0000-0x0000000002576000-memory.dmp

memory/2532-70-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\UmMIAocM.bat

MD5 357c2ca7d6021bfb2c38b8274d2298ef
SHA1 31d309021a241fdc674f89dd5ecaedead178612a
SHA256 9ec3c1366128d94f3c4326304a31119353fff36e26a990da5331b07557974bb9
SHA512 669fa22c4b8cc46e8fa70178bda65f285898686911d43ffe1af0bc046398fcccbe26f8f0d75673f052235f663ae032058a05fd1fe86058e3b75300f3721d1d30

memory/1200-86-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/2304-85-0x0000000002330000-0x0000000002506000-memory.dmp

memory/2304-84-0x0000000002330000-0x0000000002506000-memory.dmp

memory/2960-95-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yogsUUcc.bat

MD5 849a7595361492810681c79dc7622a72
SHA1 5f7fe058783b73e0246b8ce476a15b1dbdeb971b
SHA256 5d9f068de33ccf90efc8955be8bb031715bb264e48afa9b01dc5601c612838fa
SHA512 c81369283708eb45959e3a88323cd41b91acc1e33a275d207a8137d75b3bb79ecc7ffe9c7f696d3fa9d07a3f99cab12928fedaa3232f0c13f5d0a64ca033137f

memory/2324-108-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/2452-107-0x0000000002370000-0x0000000002546000-memory.dmp

memory/2452-105-0x0000000002370000-0x0000000002546000-memory.dmp

memory/1200-117-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fuccoocw.bat

MD5 5cf20f67dadb36b7196f697d7a593574
SHA1 f3cd4d63b495f2185eeffc03e89e9d392481d0a0
SHA256 7b4a0a6e6f223633744fa778f813df621211df20b94951c36322c50884ed9306
SHA512 4438ccd6393fbdf4be363d9ee5b82e83435058c09b87823048fce8f5f1cf5cb6374700e2fdff9e55edd5b9efd6b007388f17b786f79fc9f5a94175f2ac97ea06

memory/348-132-0x00000000023A0000-0x0000000002576000-memory.dmp

memory/1052-133-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/2324-142-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\liQAcMcs.bat

MD5 b231c862baea2a6b4fd0091e1bcc6611
SHA1 e412c919c10c480d741e7d46ba70819a3f6d73b8
SHA256 7d4b660d21652b5197090ca711b97f77f5b53fd59416b47bf10c82a187bc8d08
SHA512 ccddfa6b05a0e67d135339f7135ffae468d3fe465d7f7c3e9c7cec71c245bb36476a63fc8985972e136d513e8ca367a39bff859a9885b2255928bb4dab6bf403

memory/1516-156-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/1680-155-0x0000000002340000-0x0000000002516000-memory.dmp

memory/1052-165-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fuoYsEIw.bat

MD5 bc4520f766d48b8db1bc00cc58799141
SHA1 8d27ebe3ba65fe620cbc77bfaf13b52d0bfcf490
SHA256 b4f3ce69144100417b8821db941d07021da745c608c4ed96c77e0510619a5186
SHA512 a1e9b831633de9b7bb24fff4057ec38d18e9d5f8fbb0b6541ce99ef2f77574312f7312398a9aa28c23a154b647dbb7aecb3c4a320083aa22ff1ea4c260b2493f

memory/2236-178-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/1516-187-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wogYkssQ.bat

MD5 d94848668ef8758c713fd88d95497b30
SHA1 6ec1beb848cd42dbced1df423db02b2bfecc22ce
SHA256 15fbca532b8891d5e2bfa31d6e8c0ff97edb19e98dc75d0214a0aedf9dc6f3a4
SHA512 ed29dbadabc568518c9148841b0e476f1055840348cb65d989a20a535202ca8865b6883608737a45c1d4f88f274ce1d1343b6a71bb595e972a6ae3ebe4622d61

memory/1616-201-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/2544-202-0x0000000002350000-0x0000000002526000-memory.dmp

memory/2544-200-0x0000000002350000-0x0000000002526000-memory.dmp

memory/2236-211-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YGgkUoUE.bat

MD5 f1fc603276035da692f2a124133fe1e9
SHA1 acb1b932092c3b27362fc8e60baf0ee98b929730
SHA256 d5ef1e893621da1e998ba791ee7c1cb76b9fc5844fb0f27f90c53e3f895d0103
SHA512 35ef91b900b73856ffa66e8f06b082750390f899547f9e0031515c2b6acd483696f3d7cae49ede3ddae1a89c57478068edd197b193eea18f14023a582bb71de2

memory/2944-225-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/1540-224-0x00000000022C0000-0x0000000002496000-memory.dmp

memory/1616-234-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sskAckUE.bat

MD5 0c20d8607a3af36fd0725ff291c740dd
SHA1 d7b6ee6c0d77bf668d5d0ee8b4a4704d1a1a8c33
SHA256 9a7026fa83eb3a190c5af1ec91a5ac1b32fba4c0ccdc45c3b048cf04bab7d850
SHA512 27918ab2a886de8ad807bf478e8b169824c0811a50d9180aeb519566b0260d9c167f8420ebc8ff7a474bcbbe02be66be4eba95d1b8e50a67cf58a0edbd788123

memory/1200-247-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/2944-256-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EQoUUsMU.bat

MD5 880746f92d275a25a5142d8ce9c8b89a
SHA1 e3ddebfd76090eb9feacab1b96c84dfd9da0c4a1
SHA256 0cf1a0e9e35267d3ab7184da8d389430442fb7b9a91e99d6e24420d5ddeb78bc
SHA512 a3ae5a3a15e880b00596caf43023063c70d9c06fcc49b80763133b3ddf079b558d933f41f44a664927f407a0110ae1825fd2dfeb3523f44381edc5de01a1c6e7

memory/268-269-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/1200-278-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RQkMwYMQ.bat

MD5 de6c47a8f05222bc6ca48c97618f5c6f
SHA1 3e37a507b644d7729e80b532f26b3b70ce5e79fa
SHA256 a5ce212de2977ed70491077eff6e426c85a046685d3a2d20c4910abbe2c9fb35
SHA512 7663543a597154191877f39e5ca001bd440eb28bc7213571573df49600d9c84265a1cfe5e573f67d436dfbe8692dea7d48edc6e39e1914003a55229787d78f71

memory/1896-291-0x0000000002310000-0x00000000024E6000-memory.dmp

memory/284-292-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/268-301-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jUAQYgoc.bat

MD5 80ded9020e64848510de39ad979d749a
SHA1 c9a7eb362d6f062efbeac91fcf8ffcf8d86ae9e1
SHA256 f66030c00ebc445f293d73c53d737087ee0554d08a16fac993ff5485284e7973
SHA512 65ecd6bea5d51b2bdaac8fb4459d3e271720d8ae72753783ca49a0e2cd92928495772c006be6fb3fecf884792526d3fd996fd9aa8d002f55881a8ff0ec92e831

memory/2540-314-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/284-323-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BqYIIEwk.bat

MD5 e3ac922341a6ad250157448cbedc09bf
SHA1 eddf84800227c59e5943f85219af721f9b767d5c
SHA256 74aff7bfa66bd7577e2a10fcd9cade63a227c834f953ee023296824dbf652d4b
SHA512 67cf15bccad50701a50f7b2d589c7ba595626fdc27c1cd14721bf25e2be832f673fb2ba8bf157c6f0b3f245ae3c800daafe6b7818a0e94e2583cb6cd688ba413

memory/1640-338-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/2784-336-0x0000000002500000-0x00000000026D6000-memory.dmp

memory/2540-346-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XgIkYEgA.bat

MD5 fd0a808cb981ef002a6eadb14d461034
SHA1 66a08b11acaff0a1266e686e2fd2891777c88f4c
SHA256 835e18610cab5b4cc944922248c3f5c191684dd2105cd1f0735ee1dfa118ce01
SHA512 091966f0ebe52cd2123a21db8ef33ab8766b047e4d890152de7b91b7b4f1ff5288700b1ff6c7fd53a757723e7913b985033165628694b0ac1675a8b2b3b07ae6

memory/1932-359-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/2812-358-0x00000000023A0000-0x0000000002576000-memory.dmp

memory/1640-368-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ceocEsos.bat

MD5 c3d70ae912a2f05bfae2f0d251008a72
SHA1 f302b6ab50fa3f0c9581a16ecf217d88999eac58
SHA256 5dd1c2a5f9b4a15dd9db9f7b2fe5fb4f6625faed18a6600bedc9fe25a0c96cb4
SHA512 b5970750a671f65d8d23191036eadf49c73491b4be7f978432eb1995fd27bfaee2ab096a05111bab6a6e3337078b9e0ed5ef4667b3a70d505755803c32942018

memory/1932-390-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\myAwMQMM.bat

MD5 80f6ec2a45cbbba73bbf57a57d6b1cc7
SHA1 0b829a720703c16fea7c60a2a927a7c4153a0910
SHA256 075e6ae45e937383a19e4e469b17af7fd6b8aaefaeb5f6089bb3295c673daf37
SHA512 2382ff60d0ccda6e37099f2c723fcd9d92ddd15db6ca833c4946fdc60b6b32b58e5f1ab4af3da30794fa74c66bb72d82d6b99cfba8fd2c13c1d1891ce66fa825

C:\Users\Admin\AppData\Local\Temp\wQIswUAs.bat

MD5 82868e3762445f5917fde9237f032c32
SHA1 3c411f50d4fd26c2e39940e2e998bc04a851a5b9
SHA256 d0b60c29d946cd985e832fafdb1529f5fe236c8f7e69ce241875077eaaeb108a
SHA512 871e467c7218f1dbf994bb746f218fe5132a2bb5f3e9e4af8c31329d746fcb0b09265e973a53fe2129150ef9d26189fe5723432e9498d09b91bf879094e7a8df

C:\Users\Admin\AppData\Local\Temp\zsUUYcso.bat

MD5 46429d2e826571d6ecdd79408baedaaf
SHA1 eac59c0a8f8aeb8119125f960d825aec285e4a35
SHA256 136e0f6fea737883a04244d443ecf89ef5cc32466cc57cad821b3efdfe524f53
SHA512 6168f4433805c5cc452ef6965557cac7bf83e42bc4ecbe60703a7bf42b6472ee7ac79730b6e1fcfd87c1231e30ecdd4361e8129712d32c269b9891622321be32

C:\Users\Admin\AppData\Local\Temp\lasogEgE.bat

MD5 4891b433f59d41c3685bc76db279de91
SHA1 1bc33549b60f6ea19ffaabc43d916e8116f19ff5
SHA256 c943de3f489638cd19bfd8ddc402c4e637fb3b62794413be0c824db10a1a1a1f
SHA512 cc4fabd3a8aed716d13312993ff87e29a457b8a291d0152ae61f4d9e92b2bb66e7bf804d7ba95b41e676d34549bef7cd94698539bd2fb8376749a7fb6b161ce6

C:\Users\Admin\AppData\Local\Temp\LkMYoYgw.bat

MD5 47362f3e1d412e6b4c1b34699d03140b
SHA1 aba746ae59746fb7a9b778bad3cb4d8d7054ad06
SHA256 4c31d9a2887505699f49cbffd13b6ea56b9778917b63cb5dd70e695d009e48c9
SHA512 39cd46a21eea7704d7d273bbfcb983bdb82b2813dc649587638901c083ec1cc443106bc0bb995943990f1aa5fb791286948d8be478104f59b3c180b4f2787015

C:\Users\Admin\AppData\Local\Temp\iMQI.exe

MD5 c1b7de868543d0e61c502672d2824f57
SHA1 9ca394d2a2c9514b0f071087edf51fca8f0ffffb
SHA256 11d83e3ca872d815d0d069f9bf46c2af5e9d1c668077d17d4597b550f4c11193
SHA512 e342935062c4a5e6f2c3ec6b7f4968cddc16f8caa6ca848fd18f68e7550cb92c275a3cd65686cc81138c81dbf2caf2750d3e5a53e7f47e5f992cfee74b0805e1

C:\Users\Admin\AppData\Local\Temp\JocYYscM.bat

MD5 d961b731cd84aac6115c60c14de27cfb
SHA1 2d430a91c0a1978d40c5885365000c19e00520e3
SHA256 595b287110d373fc25a4f18fa73831e106e4dc9b0fd834e236dbbef82184b0a9
SHA512 25288ce823686fa195da550bcae507096994c156da4713f15780da2a3dae9740588cec6ee35196271512001cb1aeec770000cd0856f25c92f164c8d18a27fe1e

C:\Users\Admin\AppData\Local\Temp\gAQQ.exe

MD5 7cf4df53947f51591eeb36888ba1f8a3
SHA1 4478921f96b3a6052abdf7329bcca2125a0109ac
SHA256 d0649ee4dc33e177a086b063a88661cd314a84c632377b6f7bc6f3f23abbc745
SHA512 50b880473d4b3efeb2fa40032b614a5c89a6ebc9527b74baafaa15793bd1b88bc5ca9f315e68af0c15dda5fd5518b716ee3431604fa36bed465f9235e0cae44b

C:\Users\Admin\AppData\Local\Temp\KYIAIIUI.bat

MD5 12135e4d5c1b78d8b2ebb0264e92ad2b
SHA1 36dd804ee3e9abeb8e5c71d8164d22b07d32278e
SHA256 1c52eeb8ab0db63f0ab1fb42fc0b05ecac9cc620fda7d4871a94e0bc3fd36f25
SHA512 e104d88d0d71119696e17802f025b27e873b387f851ed1d4e862b08536f819c015772ee166a405d542be45fb4374a00b0e61f7526a5fa71cdd689779fc56fde3

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 26075fb1e7819cc46c67cf4f16c5d45a
SHA1 8de78e35eb9011a2640b360d6d30c292363c0a4e
SHA256 e1673bfbd4a553a965d2dfc822b9c1bc117dd513a549a0751a01d0d30795f965
SHA512 d21f5dc4641c095184dfd89dfbe3a2f5e1878eee46a41b007a2cfc160ec4f627ddddb0df2352013d170c0e29fcb630c0275d3370db481e61d6a364d356cc23dc

C:\Users\Admin\AppData\Local\Temp\eukU.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\UEYy.exe

MD5 42d8e48bc90a0b6a7e9ead05d9e61a94
SHA1 10785210b3a412c6a68674808998e2351c751328
SHA256 2650190e5a84ef15428b01aeed9d287582ae4910dae08bc149e3ee5a950b3bbc
SHA512 7b54e1bf027b31e7504a3065dcdd913c3e8806a19ae7ab9537aaecea9d7b28b485f905863e3d4d6091e96b5287727d51abaf096062ae6031efdb9279f0d1a442

C:\Users\Admin\AppData\Local\Temp\ocIY.exe

MD5 53692a84d5a99e99eb3ab38695578b24
SHA1 bbb1ac3a0464f56df8038b0ce5ccc93cfd882c8b
SHA256 f4dee635f0f49b19f0fcef40607ccd2a6c831e8416623ffb4827d371cf0efcbe
SHA512 22e4ce69c55b9622407c0ee5969996fbd2651559e024fd06c9cc1dd2701cfd8df9b959db3faefee69c3ae0f1df870b97a5da4e726c93743cd46ffb5c8597f544

C:\Users\Admin\AppData\Local\Temp\cYAG.exe

MD5 d8e03689abe3ecda71b74f9ec9883f55
SHA1 0f3140c145d6d90506e9d3399e3976c9e2479045
SHA256 0857e4adb1d15537ac3aa73b4a302bbcd71526d776ced7eea4dc6c7a41ca7b20
SHA512 266d8128c01c73dd6b24379f508e65147c29d0c91582e333e4f6b9a8a60a3c5b07e19cebe267aff1aef6792d7cdf29a471bff5cf352f5e1a8cc14996ac39fb69

C:\Users\Admin\AppData\Local\Temp\eYoE.exe

MD5 84e18288480a57a5c422ef9b615ec07b
SHA1 6d252377fe411ce44a71ba28ada36a5fb5b1e17e
SHA256 bfd4e0777368e7683cdfa3fe1d504846aa6d357e4c9b3c731650d937c5665905
SHA512 fda449c9cd425022d43f313c2a9fa431458af5f30a9120fc1013da478297d73c8459e7d84524a1ba4d9d0a0f1b580e31a8c0ee7367c840371859116851cc6dfe

C:\ProgramData\ukMI.txt

MD5 8edf0f4ca173077e88bf58000a54e102
SHA1 fab7469698f10f06a195ddcdd54d5d13b5b479b2
SHA256 d97ff044166c855ae321ccb18c01588ccaca5ebde2938ee574349161b30cb1ad
SHA512 8dc5b897036a02b2df0cfe53d32c923e4bb8f72b4f894307ca0cb8ccdd4a6cf4e1b61e21770d297d1cf365489bdddc23262bba50388c95577dbf8cdce3943bd2

C:\Users\Admin\AppData\Local\Temp\KQwY.exe

MD5 80d0f056ec3e6c94d19ac30fbf3ff8fa
SHA1 cbcd64b3fe35bf5dec3ae8d7a8a7415c34f785d6
SHA256 7ce2022fc32006b67899f8f0748a9350ff15a280b5823918865193df20c8642d
SHA512 4f04ca3d8624be7658540f5314262ab1e161cdfe6c7f98c3df040280433340fa341219d5e7f9bcc0ce8efa778bd2d600844e08bca85fbe3436d511e3e4fd674d

C:\Users\Admin\AppData\Local\Temp\ogwMIkYg.bat

MD5 37ab89772b15ebb3fa8f4bd7a117e56e
SHA1 eb785fe8ec4b5dd8f193b0f5ff8c00d8228aea5d
SHA256 358ce4fe1eb841c0d49218f178e8e71c3164af2384d85100949b17be8c2ebf11
SHA512 9bf5adf47be318bd8c4573e568cd2f0c90be17fc2e7f69c6cb9716427beaed384cadbf98c8cf568328dd26c5cf008c1995013afac988e13b3c85cd5483cd2667

C:\Users\Admin\AppData\Local\Temp\sEIY.exe

MD5 46aba8e526b43fb901eed14ce6f48afa
SHA1 fd4ff9bba260cb7bd497d81eb0a1bbaeab69514b
SHA256 19e552be4cf190b0b0f93c9d4e68047d52478803968060e36bb1d9b4e647dd27
SHA512 1e9837dc7d49bb0452e16f501fd0b7b4df3e81edeff0195d005a6c8697095ad3c0aee49f0fc829ac958c953fc6d2ea72582bc9c605bb7e9ebdf961dedd5a4c17

C:\Users\Admin\AppData\Local\Temp\yUIk.exe

MD5 3f778be2ee7257b384b0178037e134ec
SHA1 8e42f251bbf416471adc65be0236a4ca43855bee
SHA256 643f677147bd311a77ba728c8a061d68eb631b06c08c3aff740712c4d16b6c6d
SHA512 9add84d448b397d5ead68895815d8670ec4ca740a8a794e73d875e59a52e694b0b6232f486687e37215f2104a7bc015d7c59101e9990ec8ae10cb4bf4d1e1329

C:\Users\Admin\AppData\Local\Temp\YUYa.exe

MD5 d375de7d59a3111cc9ad829a4fe5e5b4
SHA1 444f1fff97c4e9b0875f54bd6c9c6b4ae9601f2f
SHA256 dfbdfccb371013945f864b61570a351c014bce865111190319c6ae9f0badb867
SHA512 bfd9137339ab25d80fdc448b8ffa5f45a643d945f7880ebf388cef75d6d7b2385b9aa704cb4ace2cc620dfc781138fa0a6b6679e702dacb32a3e4d63baf71e51

C:\Users\Admin\AppData\Local\Temp\EQEk.exe

MD5 e8f14a86aa0d331c8509c17a59c9b6fa
SHA1 a1df54bb1227835c7efd0979c8da096d2eaad977
SHA256 208acc601599b0cbf514c64e7be68ea2014b454473c247183c43781c7384735c
SHA512 1c1011a2dce43c13ffe2b7347ecbb94402a11b8a740304523498d37797253fa5288869fdc9973624d3ed148706e6270dc6cab6fdc2ab72a844a1be98000f4780

C:\Users\Admin\AppData\Local\Temp\AAsUoAgk.bat

MD5 2ced127b1a3ffb9fc4cbb6bc940d95a4
SHA1 310e68a2c5acf0a4e9e82ac82fff6c78b781d469
SHA256 0de323e8905f8653b54ed91fcf66d59430c0e0cb11b16430cc30f0aa14310a54
SHA512 fe22cf604954c3e415bef3f7af89cfe489243c1aacb4f063a864d31b1ef01a601c0ea781d7bdf82dfafc5bf93168e867982c8deaccd4cc1f7b477543f52bbd2e

C:\Users\Admin\AppData\Local\Temp\gUkY.exe

MD5 9d6641ba9ee419d5d4706b0374ff9d56
SHA1 ad82cfdf320e4bd44aabbd9e5c15ed43b01ae655
SHA256 4b01c068a043a4fb79ae924f8c82c031f431b4b16120dd5c5f4868095b34a579
SHA512 d52bc05f376d8fd52551de2f370b918adf32dde00fbe547318b82e9a372d1e242768c717854f94385ff677fab94eba5fe323cf72706f97a0987e288e8bd57c44

C:\Users\Admin\AppData\Local\Temp\eMUY.exe

MD5 74acdc6c3a49e28b7bbff9a436f89e21
SHA1 c5e50cd8e9c2889b0b0306f47b906aecda676b48
SHA256 3ff1c6a62b15a41963c228e0d187df63a6371b3998c9e13bd2c34a2533f5d94b
SHA512 57c5001fc15cc8b26a4df586c6d9cbc5f0e8447fe60610bbbc40b678a4e6babe5f4aa5ec1bad46388576a7cba44b98d79b24da764b9fa6b370d2f504ba74d9e3

C:\Users\Admin\AppData\Local\Temp\eIUA.exe

MD5 3ce89635058d45136144957baa970c04
SHA1 76cd17eabd9e3e7ab7605d56be10a190fe210bf7
SHA256 e8ffd32fffa125d07b706e1c1946e6a2d897afaf38b37e18a3538b33a1418f3e
SHA512 283c08af5f8ac767f830b7b1b85babdfd8896575b9d279273b7b2c9f2def968600f5caef189a92f01ef074a13fb35a7f1f1904c66b0c801d06beabd6be901751

C:\Users\Admin\AppData\Local\Temp\mIwe.exe

MD5 2310ec5095721ee696e77c88275b9b05
SHA1 901d818c5641c2551270f50e3d56d3bf76a4d628
SHA256 e2032bdcad850012cd86a8f8203316c34d2bc5fa17261483b5878c0453d2030b
SHA512 8d030d45c2be877260c2f278270d2cb2977baa2cceacf92d2a419a46853dee6f0835e634172821c82692228b682e790b9106d19307fd606958251c5a100cab14

C:\Users\Admin\AppData\Local\Temp\Acsq.exe

MD5 6d720a75013cf82ce53a2a2c16e6e7cd
SHA1 ab1e68c7dec8a88c1e9e6c3bbfff7a5417ec191b
SHA256 6e4ff2ce6ba8257b0cae98eeab1699f9ee15a7ec4bdc571e0f8a6160f70333dd
SHA512 53be4a15dda9640347ef4f9a8365f3f8902fdb3b72b345e82377265a405c6a0d20232ab0071339bb13332f279714bccfc3144e878861a60fb6ba77454338743b

C:\Users\Admin\AppData\Local\Temp\OEka.exe

MD5 bf759ad3427bb7521b2489084e2545ca
SHA1 41c665eb24fcb3e5781d2d323c98cf507320704e
SHA256 7cfcbc68b738469975d80f24dff0a389fac232566f0dd5c2f55ad2af9c22dc8e
SHA512 9499083533433def0e8104738299008bde79c050fd45b0944e018811c0d2cdfc3fe46e877529e22c6fb22c9c9591026ed66385b7dfd5d70f8201631dacf0c35f

C:\Users\Admin\AppData\Local\Temp\SYUo.exe

MD5 bb61acf264aeec80e8080235c4d4b491
SHA1 e31a339a6104579f9c3e51ffaaffe41dff7873c3
SHA256 15920145bd73bbe8c22ff18cce65d865cfe7e15524b19e3932690d05be8f579c
SHA512 6faac3aefbbd5a01c9c213649b98835d043b078d7a345205f2048d216f8c14208957dd6ea2e1277166f3a1ac864ca37018ceb972d2c3a4289b62c4fdfc946ba8

C:\Users\Admin\AppData\Local\Temp\qIEA.exe

MD5 07084a032603ada43cbfcae2313d3711
SHA1 8287f3574d1c3afbd02a2da2c006a4fc543f3daa
SHA256 d47b52a90dfefc52a232a6c942ffc14df0ccd6910acbcbfb8da5b9961866cd91
SHA512 6da6cb658570569dfb61676feca8c9896bef1aa56c63ff7757df7553be31744a3f7721c09eaf155e4097d14cd452bd62cb699a1ad84875fe33dd5d84e877cab0

C:\Users\Admin\AppData\Local\Temp\qAsW.exe

MD5 19395d5ba7425b692d0627c28cb18825
SHA1 066813253d65c7b058929fab228ed7ade064eb72
SHA256 1c3b88311e472cad1907b3013cbf42175a1379786724614a8657a1af1e1cb52b
SHA512 b56ca86034bf3e4e1cdd255a1de89034b5c560be5d23cc30796e6b5708dfff804132ae34d728592b7507db25c4ce1846a4b2c368cfacea856117ba34d0f73529

C:\Users\Admin\AppData\Local\Temp\TyEMYQEs.bat

MD5 5a147e435e4ee33de48e3f16a27e5815
SHA1 bb78857c5022f2fe553b39fac71015b8da3bccfa
SHA256 f0f3ff78b281478ba720961af3fa8882de29161f3b6d86f3e295ffdcd6dba53b
SHA512 1a2c0e605be25c05ee181918ee23bdb581829f63ee6c95f1772cdd1d7bc9f069db68c2cf151321c2dbdb1f99598a96cfb1012b3557f47d91ecf3a360bc68e8b9

C:\Users\Admin\AppData\Local\Temp\YcgC.exe

MD5 39852b0dcff79f0ca1a40d02b1685b6c
SHA1 86a9999707478c040ce7c67b371723eeb1ab62f2
SHA256 9b3291761d07ae0ac82da4177a6d944004aa949e430d7c427c45d74d0d41a3e7
SHA512 1d48b619403e834a0eee009fea910d5e8f28d5f883ee85879cf75d2735453642fe4f4e8e1d77e3444c3ed1054722e58f9b8fb2b695df9ccfffbc97286d35205a

C:\Users\Admin\AppData\Local\Temp\qgIA.exe

MD5 ce9cf9dc23afb7fde7861fa6b9fc5bb9
SHA1 7dca53c6649195997e2497a49172fd927f73a073
SHA256 977c6934ac0cc3d172efefa91392e969c82889b39da6668dcd6f5914d79b8c6d
SHA512 69aaa950934514fa06b716c0c7d0288134e9d0bbb9b87b02660d8894ff62f99fb2ba9048cd5300935fbfba60adbc22eb6b1bedfe375a88363ed68f4022ef26df

C:\Users\Admin\AppData\Local\Temp\gEUI.exe

MD5 a53221384cfa550fb2ddf7a8f5de3498
SHA1 184928f230dbbf02ccb20dcc1d4c2392297895c5
SHA256 870029f07ad8a7df4b5d44d90a0c856475aad6aa7dc559edcf012de9f087206b
SHA512 41e11331fb08980bb2f7236579e4072dbf3dc62214a4d6d76f787d8d612005c6bc540f138d427508e66c46a16f8b1dcb7ae360e2184654f6ed7f33ecb108b32a

C:\Users\Admin\AppData\Local\Temp\kEAa.exe

MD5 5c8083fceec719516e27c34d9c18551a
SHA1 a94de5e3df665d2850fbb87fc63dcb7e534c1986
SHA256 6a7c32c70e6a5cc9bd74228876c57f16eb9411274244d2a4390f16eb4b29b312
SHA512 3e0d79a707aaec84bffd730b8670094e56ec5834e3301682f06fd49684d99def241b968f46f4f7c8d8370fc574b0b2c6b053481e6a9cac3962e84ced7574675d

C:\Users\Admin\AppData\Local\Temp\wUMg.exe

MD5 33914b7740ac430ab6fc39733b515fd6
SHA1 28f884883f7392dd2653294920f769b201c07b44
SHA256 224b855c3ad8fba15978cedb03f20b853f36297c8beb83c6fda5b7eae3a50025
SHA512 a0660faa949821304a235e984bef35319e86aa58f7c2ffe57e1f224aab40fedcbcfb2a2f209f1d4d0aab99a8e13ad990ea28c000e563d997bafb579c00605b9c

C:\Users\Admin\AppData\Local\Temp\aQQq.exe

MD5 d57d952fa2ed9348969f4c2701187404
SHA1 6d3f214d02513bd6286ff399d37a0d621551b737
SHA256 38e50f6116f0b344addef241ac412edf5daebd2b0dfc9be8e05082e5383e9a2f
SHA512 c16670262da31d79b5dc90933401f25097bd89b2921669bce059854d482c1b0a70f9b1726d7e81b4ed6684e3d08a982a4f70a4533e0c7c9b478125c4cec2907a

C:\Users\Admin\AppData\Local\Temp\YMAq.exe

MD5 915ee4404395be7e93f33b77dcd628d3
SHA1 fa8bd7480999b121defd5211733794c7c59481c1
SHA256 4fdfb72a4c087d2e9649b0c4b0d9b234629b7f69940c7c3d825b58d3ae4f7cba
SHA512 1acacd4065eff3f7873a5dbe79b7f47d925235c31936f40d3d5b52345e9d4923cfa6b210b950107ff2934e4b335a0e5f8dc3ab960bea877fd441d6231be49a68

C:\Users\Admin\AppData\Local\Temp\HyUMwMss.bat

MD5 a5c27ee1875a155d3b50b5df9e6438f3
SHA1 267d01e50987330dbcf9f67bd92f49d6403ca532
SHA256 3fdbfab993ede2f77f874df20ce4460be31e4c4ef2c01e8fd8fb7b87c3fb1407
SHA512 b140ac3b52431037d7f36ccc2ede3e1fec3fd4faf65a22fe8e37d74d5506c24d8f8484500d004ca4847c5c593c3546f16867fc00397f09587296287e062d6e5d

C:\Users\Admin\AppData\Local\Temp\wkIg.exe

MD5 fff019545dd07ab304ac64eb19049e3a
SHA1 decd2f92f44fc55b631a7a988c262bea788413f1
SHA256 ddf4a2512b20797c3c8b849d9d449efa4ad74ea43b22c35fdffe6c3a0c5678cb
SHA512 c873f33c2b1cc605f842d8e38b2d5dbd2933fcde030ab029bd37235d5a4aa9d1b94d1a86bb80bf42405291f5bb390950d408937c05088a6303f0f52038758b09

C:\Users\Admin\AppData\Local\Temp\fqIgwwsk.bat

MD5 e464ab518106f939c2a5d8f7edf76817
SHA1 e7d0e064bdadd9e683e9f3001a2c917cf1d5154f
SHA256 6ea2beb2a12bf19f8c6997f37684f297c1a721f1953d3de16d3f9326ef98ecb3
SHA512 4fe0a098c14d6ecaffc8673d4191835ddf6dcde45547be04d12f8bea2116d9f379a20588717a7f2badb2c24c81a0820b19342cb888c48b724b3d480840d8d396

C:\Users\Admin\AppData\Local\Temp\ggAK.exe

MD5 19dfdab13989b3cfe11b1bd25ebf5395
SHA1 219ed7dc074f84d52f455c7c999a9efb62e0d67e
SHA256 8a172f0beaa7d9d883572a8c9aa752b0c2cfae1a73c93ffbd28bdf2226ec9a6f
SHA512 c8ea7e434f23113e533efcf88568c955185b899dbc18c789f01a88fe40e3ae25867f90ca2f84fe8ace91a44f0defc74eac0a67d0c882bdffabe2b1c5185a0546

C:\Users\Admin\AppData\Local\Temp\UUUw.exe

MD5 9a5fe922cf300443e866b11e29c9abbb
SHA1 15a44493b8dd4a84944c9993936ae30cb2bc3d09
SHA256 c6f5ad1eeadc5487431c6a1fe981531489f306147193e87110ed3dace5183466
SHA512 966dbfb472e5ca9608a951200ececdbc72ae3abdd274877915bd5cfb1814071f15b60ef69856ed847dbc5bbf58ac36e2a23c75a4f378110ef103ea96fcd7d991

C:\Users\Admin\AppData\Local\Temp\IMcO.exe

MD5 0255a9988dc57a3eb00b5ca3ba473aaf
SHA1 f15fb98942acbb0dba556c17f204ca2002b39dfa
SHA256 231a22d922846bc939f036e2a1643f79f27e7e35484b111ffc08bbff5c5af981
SHA512 4d248b24c106b3fa05b6d959b2f799e2af408bb44cf8d75d4782a1b2443bf36f36be98e7f46e965d32d1bf818f4440810612fb1b372a28387e36e289e10ed56c

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.exe

MD5 ab99cd54d80739a5cdd4cd131a6af55f
SHA1 cc8cb49fab487366da216e5cdea4d04e52d0b0f7
SHA256 e3abbf51059ff406c4404d3fd73cd2e9c92d68e51b66d287c16a57a793842316
SHA512 2fb265fa10163ed08784a1119cd42b98e7939330df5f5b44350f145f50022e09ac6c62680a8c4509c0203b713edeb39f59d1c50a86ee38a7fde23e3b74753f5b

C:\Users\Admin\AppData\Local\Temp\YQQsksoE.bat

MD5 c18d1808f5ae85115163711d3c2a1c4b
SHA1 1db15cf1cc481303e6b8afa491b943a437a78bd9
SHA256 cc71089934e9370cab8091f6fda8b10244ac3f1543646c5c6cb391b6c04eb865
SHA512 817a336e9d2ca4ffdeea74226b15f237456ea58458bd31367353ec8b0586ab954d8117dc18f4d801970a970d2a6f8b9590aef11a8b708c04f8b3870c98c00a21

C:\Users\Admin\AppData\Local\Temp\KsgO.exe

MD5 224d55c0e1c90cea4337d21802f70788
SHA1 7ae8673ba830b800a0fdccda0661be2a13c841be
SHA256 066d5cdc983328a74143d6b2d77edef889a530cc8e6c6e22d6df131cdc63a013
SHA512 e52d2beeb1eed79189cb9e70b5e6fcb4d881e658ea103b82e97da1544578e7a8f3953b66b68f29fd23f6f90386cb84b8d40dc64ddc5a42bd6ff11d037363e9ca

C:\Users\Admin\AppData\Local\Temp\WAwI.exe

MD5 080520554b81f271389b67d3a474c11f
SHA1 6e72b716c7e4a4629de3ca84e23302e0aaa78ea2
SHA256 1b43fcb5967b3d2f6c6b1163a35663132f989a51f93fc8bac2946253f76c8363
SHA512 274c081c5ceba138cb1ee7db17cfe08b24bda2b64b5c62f2ba96205cc8878565c66ce62705071f55aa65aaa891a3882cb44cdc65369c16f26987400ebafa3a69

C:\Users\Admin\AppData\Local\Temp\wQMk.exe

MD5 c95125a9853c9c60ec328fb84fe8c913
SHA1 e16f42521823b38d78a881d451bed0c56f1eee7b
SHA256 6badbb142fdb3c9de3b98a8c1708e626be46b78dc8dbcb3d3f5f4c78e46c3d64
SHA512 0e74fdacdf8ba28de407260d252a74091532c02c8276e7daf56df07501e77dcf81f7df0a8982b0c214cf130002dc485163c64c3941a9027fdaa6b0cb0e51727a

C:\Users\Admin\AppData\Local\Temp\AUgm.exe

MD5 58e0b5824340fdcdaba638d7b52a0ed4
SHA1 555b3ad2c00b1c856b4d58cfa0f3078de553ef28
SHA256 6fc79e8b5e35f2792863606d4ce4158ea3f7bb0884fd30e359bd8d71d2e74548
SHA512 e0f4a4645ec5b40246acfa87a20684ad564234557e9c9fa2f36efc8e6f7492237c4c45ee8465f4b9783463d4ea0e4df4a448540a8b948370fd2a3846bd386f63

C:\Users\Admin\AppData\Local\Temp\IwIAQggI.bat

MD5 a584a63bb47ffc3c065a653b1c40d395
SHA1 5bd9ee7c9aa5bd8b19acd5d4a19dd4b9569ed3ce
SHA256 1b050eb4a1ef1e5db5b4019cbab387b87bb32a75d4ceca160b6fca8a24756fe1
SHA512 ac1879fd7a5b4534c97b50a4f766086b89535cfacc1638b6af8ec35e0b9a48076b4cbf4313ecacc0b797656aafe28f1ff461857ca3aaa61ee960b4d73c2521c7

C:\Users\Admin\AppData\Local\Temp\ewES.exe

MD5 244cb2ae031141d2f1f3a3999b8e9831
SHA1 52b5202861d616f8a915e100c3a3884cb606ebd6
SHA256 a24b8b59960c1d322d735f53ac226d48bb3d1fc05d6f8469cf2a44bfc85ce276
SHA512 9a10e4ddea4e5313fa6e063f64057dc31b91688ce10db3519900e963a6f54e5a161b7998a8d8bf9a98bb5a4ceec21a3ecbff060c83203e31622da386791f312f

C:\Users\Admin\AppData\Local\Temp\kcEI.exe

MD5 3797fbefeb2b6b608d1a60a7561c0936
SHA1 9de74d90294e31d1da85e94376d2deedb7b26927
SHA256 ce466857fad4019323c653d26d5e7246d41a1bf30f146ab9d16d0dfc5c9f3224
SHA512 a7ee1da5af67d662ec7cfcdc7bf5a55e60e497e73be091e1eb55aef5860880a0e736fe72c7b63989c04ebaea81f0f46ca5bd6fb41d06045a03d770ea956d72c9

C:\Users\Admin\AppData\Local\Temp\aEcs.exe

MD5 3f76cd8cc9de9e39e2bca7249634d996
SHA1 24a20e295d694a3442c85a0b603aa50f20114d11
SHA256 696d076bd56bbd065124c4a3651db1f3910d43cb2d7e57eb59104242a79de453
SHA512 a3516aca2ce00f0543cf4f6294cbc5febeacbae40e13a975cde4ba158f25fa253eb32f581057bd199052454a91fa70292cd7a29e3baca33ace6847a657793df3

C:\Users\Admin\AppData\Local\Temp\UwEw.exe

MD5 c5b604cd106776c234453e10dd14c6d7
SHA1 4d2478f8e43de43a626e89b0ab10cdbdd570b501
SHA256 2488b252a16dd0f2c49d142c9bfd69eb078f01f304583d8eb55a346412b3f6db
SHA512 8f19e480586e007d50cc2d5450b21e406cced6dd5f3b4bbcb4f2cd7c12ae88d13b19993e44ba632c588b061e0a89ac5d2f95f5b0432dba524b693938e1fbd8de

C:\Users\Admin\AppData\Local\Temp\IUEe.exe

MD5 a1d53060a8203884bcda23210233f49d
SHA1 20c2f2a19e6dc20c2eb3480eee8b3c6f29e57a6f
SHA256 ec129245e7007a1030e201248851718c28aaa6383d5d0cd873ad7b1a71c48b74
SHA512 316227c2f1182ad64c301e40ad05ae6f4029d1fefa90c91d00757702a8ce8e09b6b7ef1ef6ef3f5cf9ad766a25caf57245612dbe8d9a0d55bb6971a22bd1665f

C:\Users\Admin\AppData\Local\Temp\mgcc.exe

MD5 68607686e49238356877222d0411b1f5
SHA1 7b8d3dc8fee57eb531d6ae2d6d6ba5ba20289783
SHA256 bffd844bd5ccbcd9c019899d2926e8a7a112e9fe443132d63df845d3286eab32
SHA512 c8670351402d20972cf2e8dcdbe8f6fed111112c88c54111107a5921989b76d8ccef90442d788fede4b05a5479f411ac3d484e91ce5243d75d75072deb65260e

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 d2cfe729fe5880bd5846d3f4fb7445b9
SHA1 cb1b7997dfbd9334a60af58d5a57bf9556b6a4de
SHA256 1852a4b6271156c23931cf784f2dd781090cd87f72bef00a4f41e02c0569089c
SHA512 62eda06c7acc283a787935e7e8ca1e143989cb638154c2772a712c362db4b8a0a1815a3271f4d69a0125222e40897695399d29034e27ff13918b5d7bf595683f

C:\Users\Admin\AppData\Local\Temp\oscQ.exe

MD5 1d46864758e77b6deaa203954a46671d
SHA1 cc572626c0b1d0276ffd5fcac68a3476a3265ca4
SHA256 891211e0a956dc6985b9b598df3f2679dae8b532526ba9fd8879a6a356f08ff7
SHA512 a740612d42e62ef5eada877d19ce9d7d56659570ef220355dd32c829d4192fb755392a1ab513d05f83c5903c6928c117d80693e70baea212b1d585dfcc96828b

C:\Users\Admin\AppData\Local\Temp\EsEMgMcY.bat

MD5 173cffca1ca037a2931c4419470ba6a1
SHA1 8f6c3d82b028f692e91e121dff25e72744be914c
SHA256 03d36a02aa227e98e68db329fa2400d09a0d6d998eb6630c9990ce71ff97c290
SHA512 a06aa3b416fdcebc6c087f4c25b04dc73f58405c86d88982dcaac4d7f6c36e239db118e66ec770e55f7a980d9fa4b5e8c51c347661de74e42bb90b11fa463269

C:\Users\Admin\AppData\Local\Temp\gWEo.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\FIsMAQgc.bat

MD5 de1f738265aad91b0d029827450d6941
SHA1 43623bc915ee63fb31711b31a59f5a0a2122e16b
SHA256 d73fa07503ebee51343ca5272378128e28dabb764ff5e6869db7683476b17b2b
SHA512 9517699d44bcface44bcba23a7e82fb02cf3a4adb97d2e276a5eaa7edd0293ac59f5298632fef5d1a69c0619cce97237f57860050555ced385c6e8dad3213f9e

C:\Users\Admin\AppData\Local\Temp\IYkS.exe

MD5 a8cd7763f5cdf153617a071280f78f90
SHA1 934f50541fd0ec55263bad5d5c2f67145ef2113f
SHA256 61c31d6e5011581a33a380f5e60f46b57a7181dce8f8488d0b309679338c79df
SHA512 b9eb70057a9bb6f85fdeaf986f726aec6c8524e9edf1cc701bc5367ad408607230a1024b1d358c4480270ef5889ed082a7f314c8626ebba3e5dcb318ca61c5f8

C:\Users\Admin\AppData\Local\Temp\Eswk.exe

MD5 2ebe1fc61ad53cac5ac7e2d7ca75bd66
SHA1 c60622107bd726289beb93341295ad0d174cfa34
SHA256 42257a3d3f75c27d3aa0c5c7d9e7b7e17e5332d379779097a2aad301ddc9720c
SHA512 15a0bb0a5aa03bdd695692e90f927a96964c5ee8a5568e71588dab1bbefc6971ec931b1b87224f95303d267af3157bf6a928eb8be53743c7e0ee074100e18e18

C:\Users\Admin\AppData\Local\Temp\OQAs.exe

MD5 ed95fee7dc8e6e29e70cca3cf6d204c5
SHA1 33eaac595fdc559c8134c89673de925b6f73c8e1
SHA256 9997c1d728c46996c91681627b6c4cfa53475680bc34b567cbe55a1c3eafcb0d
SHA512 89cc8d0ee4c3e79447c30af555b538b2fec02b0eed4ed20c9c0c195ff99d914679ed7fb83499466d3c89893db3946c02216946be197acc334449dda925a48054

C:\Users\Admin\AppData\Local\Temp\SEkU.exe

MD5 2e4554fca7d7b6dbf995b6cb2e1203e1
SHA1 f63f2e04457e2d2f5e07b231177dcedf15b341e4
SHA256 91be1f9ee69098ccb935e074a3a3ee9712cc40a3dc40574ddf50abc3d295853d
SHA512 d44f6affad0d4b9e230c20a6836ff69ce463865190eb9572db578c53aacf3ec3cdfdea2004df882f4a1882b4053d441b5fbfafd033434fbbada06f655b799063

C:\Users\Admin\AppData\Local\Temp\gQcQ.exe

MD5 5453381f52672ce95f87390e4cb40fd2
SHA1 626162cce61936d74991e4e57e4042f6d029bde2
SHA256 6ceef4e008ad6192cfd5be5470a88fb4e04b58d9dbeb0bcd4dc0e54217be96c2
SHA512 a03e45dbd949426943592155f29df906e72de67699b730e4720ff19a1cb424b78fa8d157abd5691b2be1e775cc4850012ef12df32efc0321df8d4d921885b2b5

C:\Users\Admin\AppData\Local\Temp\OwMi.exe

MD5 41fee043395d004ab15fc43748730269
SHA1 3a102d56d5c686050c213d7c168e5b6896e54821
SHA256 20d24065b4b33c11763b67deae1f94f9338589639713aced184116175cb9677d
SHA512 202d58b1bd6755d48536b481f17b6eac67116c6c62d7bef6fff4e063f8286f3538e53287f5750939bcb1b1468d9cc5faacf01e82d9eec0a158972d012a524ad5

C:\Users\Admin\AppData\Local\Temp\msAY.exe

MD5 b64d441de570582496f2530a2edeb18b
SHA1 15d96348220ff677e8233bee89e5fe4fa31ef59e
SHA256 06d63ebd836aec76282b0eb02b8a9aa9973269584cddcc4a4ef651235ce52855
SHA512 ba1de45a5317d208fefe8f0bd455af1ec806b42958925e068b57ec7b139291c3d984c99ac5741e9c141a8ad27ccc41f6ff38db1dc10f6ca0f22bc714f49d3fb3

C:\Users\Admin\AppData\Local\Temp\VaEoosUw.bat

MD5 ed12ab531440f5c2174eef3e2e99513c
SHA1 b5ee79fc4d1feb7480a00e10668d2d29b79f799f
SHA256 c2d37ac66696077a1dc16bcf3947a2f8b716fb5830b6b65765596192eaa16057
SHA512 e649c29a8561df586896f2b47e04897cb6737e7ad4ba1733f49fb5fc098c22faa7f4fbe1b2f598e9904de92af9464ab9f5413a50b0b3625fb506ddff3bc53a49

C:\Users\Admin\AppData\Local\Temp\WgYK.exe

MD5 21bf3b7ccd0b96018e8be2dad31010f0
SHA1 7d7d557d810410404b8af3fd13843382a299e860
SHA256 cb1f38a3fda573da4df1ae011f978da12092502e3c08aaa3092a933d625de408
SHA512 7ffdaee9e168dd4382e540a3347bb5b477def11ba2e6d08ca1e484c3c2593372a7bd57617112be6f718052db8c8f85c74e355293352446bc44a6e85867ef3996

C:\Users\Admin\AppData\Local\Temp\YoMu.exe

MD5 233397aad803e45299d6397e087780ce
SHA1 6211e5b055cc954ad8dde1ee1246aaeb2b27d8dd
SHA256 14cc480cd2a99d6e99b84ffa2f079b6eb0d7a1cf8ead7502810ddc0cb024cea2
SHA512 b6e554751299a03f8197335ce0961d5b71cc902bb338117749893b0578277723df514246a85f7a94d28d91556a30056335af2ca97cf658a68f5027768fd8dd84

C:\Users\Admin\AppData\Local\Temp\ywEW.exe

MD5 81e0992ce46109938ee60d37436e6f99
SHA1 fa1fe179ff7f7daaa7be21ac7c066b5487133117
SHA256 9372496d98bdc8e730ec43903cbef9081790dd27476b78f749001b046e027f33
SHA512 ff5bb7c7f9725a37769fbbac65de980cf9d770d67fee0f73580dcbfa7fbb78f5ee5e065c9466319c03653fcd0fe239eb47bb4f4b4ba6a7b4b80137ae8463e89d

C:\Users\Admin\AppData\Local\Temp\lswkQYwg.bat

MD5 466accc55da9e3964340e1a2fdb723c9
SHA1 523ad71acd5c760764f63877918b26a6aa0a19aa
SHA256 ffa01dac28fa5f1bfb2094f3870a8cda2cbaafadbfce0ac546d69f979b22cb36
SHA512 ff93f0b80822edf6b32fa6a90440bd62179a3aaaafd362e0400bcdae109caca03d2572204d9e2ecb5cb9363f5548af9bfd0db340db0b804cfd589dfa2b46d604

C:\Users\Admin\AppData\Local\Temp\kAQw.exe

MD5 5ba087be06fc111ad167c44d04be7f47
SHA1 d454e66852d3e9f34616548c2d094f0a1af62fb3
SHA256 5b515f4f19f662f1bdc32e4959db392ef82369297cb5d8b30a594e2d2bbd9000
SHA512 12b085acda00f9e79865cb81f1cc5f1f50a796bad53cf8cb2cc065988228bc6d66f3122df66122d12690e8f7aae43804431adfd2f55026466e20268c86e571f5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe

MD5 42d4e55d98524a52c599524349b9f4b9
SHA1 c5cebe1caa4057267bd710eac11199a2d157d94d
SHA256 d06070e20d0770a510a7024baa03afff3d4d984e5ae75a3b13d8e8d441521fe4
SHA512 1872544dc43553b1aae17af4df90de8d649839f134d0ab297862d5de811909abab8284dce0f5df49e58a2d8742f7656a634c740c4cd271ae984c50c8060d8383

C:\Users\Admin\AppData\Local\Temp\ccIK.exe

MD5 4412771d8d8578fedd625a1dc088514d
SHA1 c94a3d87e2dad7b218f5835de58c4cabc109fe2e
SHA256 c5721a615511cd93fa97b210d60f42816941a262f9d77406149e74ddb48690f4
SHA512 26b768b3bbcd4e8a18c6cfd8de4379abe14f12b92b2c5788942351010fec2c83a9571ed23b42bfb2e5ff4c5973e7776fbaf11ed0d909ea1dfb22e502c4706b14

C:\Users\Admin\AppData\Local\Temp\oUEA.exe

MD5 e68b81e2af1335d726e4f956650b673f
SHA1 651b0cfc1ffe7624e18ed0e09dfc7645ddbb65d2
SHA256 08ed48b33dee57e16ba21eafbf4f599e8c4f5ff71b84322a3b7571668041fdbd
SHA512 6677d2236394279626ab8fe5af460ad06bb64660683b382857773b284d739b0048883ef7410590e913f49f57188d5978d4af34a2a838301f0cf4a1513ceafb34

C:\Users\Admin\AppData\Local\Temp\eEwUgYQM.bat

MD5 1b01dc68e9688c4202b48dc884bf0e5d
SHA1 91ba0711d1abf1a79f453fdae12e5b40b423e051
SHA256 4b4682f42ae14a178148aa8700779e86c48f299bc758ebd6596bd1d4192dd066
SHA512 6b37a870c64872bfcaa4def715ee75c6b414cdd28f1b90cdc2dcd10aff100118d4a64824a221727827bb9cf1d0dbf427048527a758b153028523e570ebcb8596

C:\Users\Admin\AppData\Local\Temp\kowM.exe

MD5 30b7ced98e45431ea6d2a961715c37b5
SHA1 476a26142b5154ad1f6ecc54a6fd373496aac0d0
SHA256 7617803caae414ce81796de3a28cb4c62cdc6645d68ef0f24c206fec12eaa440
SHA512 8e2ef881d8a2bf80d7b07660960f0f6a7a46aeafe5b597d550912472ef0c1a899884bb5a8087c6cca895a37433c740fc5637a84b84d703692932f2601d2d6311

C:\Users\Admin\AppData\Local\Temp\uksk.exe

MD5 d21ad4bfff8771243b2b0fedffcdb1ae
SHA1 aac44343acd3188089b587f5f0726887e21f47fb
SHA256 ec5c476a587808d954e073140c712b34a8267200d93b6fe6928ddd3b98f7cc5c
SHA512 6975ae3a4b980d3fd9ccd5ee61110d6b279fecef0cb81595471fa59d6737e8fba4ca4177ca81d3700e4404df64fa10f002c536bdabb46e0a488a5889dbfb98a8

C:\Users\Admin\AppData\Local\Temp\YMoG.exe

MD5 1ae1b7e21977a18176980972ef26ffd8
SHA1 3e416046eb3a0e429bfc28135c0ac4bbe2ec9c50
SHA256 df3e7a6a16f89187b332692f93c6e744a565db8de43510458b05daedaea741d0
SHA512 16fdf13a266030a14caa586d72e2f22bd0acadc058f2bea0bbbed5dc6cd7599171e50a13b2d1b182c16b5be034d06dea4e2b7d3cdb307e59b85764b92a470bae

C:\Users\Admin\AppData\Local\Temp\yYIW.exe

MD5 7387871e9c404c821b3c90724c156d45
SHA1 679bae8ae34880deee256b3af009d204414555a6
SHA256 64771acf69f0badb969cf7f0fd4bc85647329b783e906d9e5028ff3ae6099d0d
SHA512 95f2f1ea62c1b417d48a3f5790f09f74fe36d259619135fbaeca9f5145a7211e54e01998832ffe63fc5d340e95065c67b4449969210bdff2ba064e09b78daadd

C:\Users\Admin\AppData\Local\Temp\yEoA.exe

MD5 812594802d3408f6fdad42776d0b6bd6
SHA1 b3d8dad73cdb81b720bf38ea9f88cca1da6bd0fe
SHA256 2101af46475e5537fc09b28a6829804499f9043578dc5deb2aa96be67754383a
SHA512 3a2a05385f6ded7b9500e61ed5094126d4963778268811ccd1a1a5f22cc4c81f6ba62f1fb3b6c6b546f6e4905593961ce6335fbc23f0cd1a06f2acb7e0084285

C:\Users\Admin\AppData\Local\Temp\wIYIEQEE.bat

MD5 487c2930d5a50bb8de6b837768b77439
SHA1 c47d3051fb35da7f4917c6cd2812552d84621f11
SHA256 5143da6ff80b4263f5e9132e3fb372785c525ab0822ac88532e62a85224979f4
SHA512 88cb61c7e2772dbbb885591ef487cd935ad974422d29003d097a1659280dfe2e2c22cef6bdca3581e40f9dc0f6781068c691879694424db930a89ae239100681

C:\Users\Admin\AppData\Local\Temp\WwcM.exe

MD5 a301273b04cba76f6f0327f01ed6595c
SHA1 3dae7a9c9a4fc1b3b6a132ce18680fe214d38cdf
SHA256 45e64da5e58e7c097d9e3eecb936f866deddf456fd8b8387bf181efd47dba130
SHA512 4fc9b25c99cb524786b945009a6c1598a8668f11672717efb14c31f837fd519cbc739b0cc7bb9f39054b75745c53c4cdbaae6e34d98353e0aef5f30de054146b

C:\Users\Admin\AppData\Local\Temp\kAAs.exe

MD5 287bdb025b18e0c2a7659c352a4f0868
SHA1 def6519a06a38bc3602eab2283c212a638a2336f
SHA256 76b2b6404594e336a246ddedbbc35df5cb7bbed575c76aafddb0c206cd601c20
SHA512 178098cc2aa833a8b2b11f4c13d2b4c587d7484c1d36fad4a318f63edb601bc4f27acf80ea489270509dddad43710c2e5f5286a1981c5f1de4ba66a308d9b3e7

C:\Users\Admin\AppData\Local\Temp\msgG.exe

MD5 06525a3e2af05c86cbabc4a50f9cf2e7
SHA1 cba40b0e85eea958394a1c11e9e547ae7e7aee56
SHA256 85cb202842c1e3da58bed2ffe388516f9db111ddffefd1e0fe9d57f18061ce7e
SHA512 0a396965cd38a3bb4068c5c5138050b72c2a0093d22b85b10ae6ea04ab58647a0c20876009a8a7169e9a12a6cc68a766740798156f4183a29d3260e83ba6b452

C:\Users\Admin\AppData\Local\Temp\kUAS.exe

MD5 25a0e7498d6b6c1fca730b6a5b7c0e6b
SHA1 dc47a238b36181e3957892244decb9ae19341d35
SHA256 2455a2171a48f97cfa5877e76b1853dba076d1abf8a1da0c89632f5db825f58c
SHA512 eb5cd924aa60ca22edf9dcb4b176933a37bfbde345cc7791bcbb405c4c2448372a8b4dba0a6bb9379b0f76a8be24f5ed1df8d4e1ce0d9bb9588f257594a92e03

C:\Users\Admin\AppData\Local\Temp\MUUS.exe

MD5 88cf36c7386c4a322d9434709df16816
SHA1 6b72445b10cc02ce5f9713611d2ed159fcf97ca3
SHA256 ecd3581f5caca5060f543cf694a61f79d616309384d7d7fe697830305e46c88d
SHA512 a231e71074d0e6421e00abc822c7c24925e707a3cb807033fdd73865aaa2f9ebe8c191a9bb674baa4e2fd3be135c53b2c8317fa5a192e95a7d74c01bdb388b7f

C:\Users\Admin\AppData\Local\Temp\Ogwo.exe

MD5 01d04b3fb918b7a5e44c70cd5ca79db6
SHA1 91dd2c44e3ffdca6568df62a905e1d1453fb1c70
SHA256 81b48ef72686e4f6aa937eaaeca9a063458e046b9aeca5346f254e524c18669d
SHA512 0b4473c0384ed0456fd2da4ce4f7ccb2c31f6bd21cf3f704ae4f479f82835f244e61c6d3e60882a4f3ca7bddff6c42f75ae0c684d2f78e3944c882f87ca6da01

C:\Users\Admin\AppData\Local\Temp\kMQY.exe

MD5 2d1216aa11bb0b892e173bd9c55bdd95
SHA1 35a6568a42579978e93dc96707aa8ab895e90207
SHA256 8726c35765589cb6904629d2e4ad6a517a54f070d050608fb4fb5316af9e8be8
SHA512 5c50f95ac50d58467f9cd0702a72f90cb10731a84b971746bfd0b2d46bb8a1dd562eb3e9fae0f9da801fd404cc472e49efb8ced75198699378463f20a7df47f3

C:\Users\Admin\AppData\Local\Temp\QMgC.exe

MD5 4a65644d092831e0a2ac72b71db4957a
SHA1 3a55b782e55634e6ada981909884a26016f9aba8
SHA256 e08cdd88da71a0a05f63c68a4216b458a3eac281069e4027e074af44806eecc8
SHA512 d126b90e49facf8679573d6d60630ea034e1147f43928cda2c363d6d1a75c82ee28416805bee0cb9164d4b28189f9cdb5f7cdbbb7c7b8c07bf92008ed562b302

C:\Users\Admin\AppData\Local\Temp\zwoAoccY.bat

MD5 bbc2807de79bda21db05890f14ac0071
SHA1 31a5b91bc6004ad2fa0676f6d64b31bd5793c454
SHA256 6379d11e842bb7a542c9ad3a12f6ccb706b01f5db005cc8b22e0da1e0031e932
SHA512 166870a6e515aab7aeade4e076073bccd9cbfa1957d05bc473de2b439bc4ab930172dafdc7fe5142ca8c1ff221fb8a3c5ba82c1a61b16aaaf18c2417cbf2da7f

C:\Users\Admin\AppData\Local\Temp\cYka.exe

MD5 2347955fdb69dccab15675c6c585a450
SHA1 fc92fa0ce96b6f8da05b215eeb129eaa6109062a
SHA256 d1270c18f87d88356467fffa3fe34ec55acbbe59906efb5ce7dea69ec3f69fb8
SHA512 6dde24455359e2aa5c5c6724ddc11c371729d22a0a9df4c37fbd138143eb40b66f3b7bd44cf3c693da4d903b5bd092d609c5a4eb489bea76c2be16accd38db2a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe

MD5 5c620a913f279c2b5b847a8377d6a415
SHA1 525105b405ba4da175f5e6145ffb8c71bd6ca8bb
SHA256 046fac568a41c3567988aef0e6848eaa529a0a051f24cdfb68ffa9789f9ff7e6
SHA512 b6b449816992245092760d6dfd89a5e01f0a7f6fe9e88dbfe1277af402cc3ebd7c783ca944dee4da28624e3caea0200d91a5f75362bcbc8376a0c321df412852

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe

MD5 2146882ed9c3a5bf1a067dbcbea2edb9
SHA1 49216e29891e9b1cd5a1c90d26671519f696b175
SHA256 2439cbb1b7130425e529a2f754e0e208ff12a215740291e9d6d41896b42f4abe
SHA512 b5eebe495aeaa9b38590558838a679081e520c797a4c230cdfcff84db4156d3802740fd43c97a96a6c8f6a2e0a1ad00f850dc5ad59dee69de0d69dbbb44dc414

C:\Users\Admin\AppData\Local\Temp\cYwY.exe

MD5 d831a4a6f3d66d01207384c3e9dfc513
SHA1 5139468151bd81c11341ea5af1b8cbecac14d3ed
SHA256 ca7f9bdf737fcbf99fc07c08be7bab655e40878708257d6acaa72642bcebd1b4
SHA512 b02f547b267124bff26e4e092410a50af8ea8000c6fe6eedc0288e5710e47650dcbd5553bc329528a58fd975000040e25f137e877a9db37c64b712b1716dea46

C:\Users\Admin\AppData\Local\Temp\WgUw.exe

MD5 6eb81d7fb79bc387e599dc4304313e8a
SHA1 94eef4909bf773751549c2c7e7944970d2d35a10
SHA256 80a3c5143975ef96ed8c5152aa17b3508f016d7b1f727e57f86c02f61979c872
SHA512 3a243f73162662dfaa25b1074ef692cf85b5d6e00c77647334f1eddda85ed8771ed461fd9fc368586566bc4659442867e9c91b5ca4b5cd69705d0bcb17ad40dd

C:\Users\Admin\AppData\Local\Temp\assq.exe

MD5 5efc52c0f6d086927be477c952fa2c0e
SHA1 90113babd9a97bd589fdcb4e5ff442502c8e702c
SHA256 77f11b3152226d1dab45b8303ec093303ebf350cf14777132726d4f785be4f56
SHA512 573124790270a1f7e0659122c4722dd8db6e5267006db13c547d7b46242f4915f421802d972a5c7d37848b054ab0d2ffe55825a8d5542713e0ca9e63a5eb2bb4

C:\Users\Admin\AppData\Roaming\ExportWrite.pptx.exe

MD5 01312a7c940c23e2c8648e1fc53bac9c
SHA1 dab73dc46bef7024695af695836f344869dde647
SHA256 a9dc0484dae87c4bd9104635e4fbf47f60dc91c9b5f056c9bcbc3294c2b2cb3a
SHA512 676dba78326a69c1999a572e3e630a56897fa2de400c7da2bdaeffbe7ff7aa89547c888cdbb2dbf487cd0d88246147f0a8bbb3d5f646535743916176287b878b

C:\Users\Admin\AppData\Roaming\ResolveSubmit.gif.exe

MD5 e38703aeef5016cb719a7811f496a068
SHA1 9ff4430ba81b9c318b36f9e40c1a75f3f305813a
SHA256 74a57be3a8779ffb2846fb2f4c7ce1f09db3558576c988b8222b95fcafe7d019
SHA512 1b438899ef41e538ccbef01493106afb02eba6e7bda614712db4a568230e01558dcfc90b720aaf1a060141631b4152b632652e090691a5f991aff6f9b4f8b271

C:\Users\Admin\AppData\Roaming\SplitSync.rar.exe

MD5 4ecf572b4d4f6f2235bc791d4fd4ff39
SHA1 8bd5081b512449a0583d6631f610ff1359b1552e
SHA256 016a7f156219272d813d61c492739fa0865b9292828b63c36607897c3a599b7a
SHA512 9431804b6efef8a797b5045972b4c75513794a05a6817f6cc8cdf2776cc2389dbdad8a6b96ab200c317674a451249b04ae6c6fcdcef52870a442c1ab9326a666

C:\Users\Admin\Desktop\AddInitialize.doc.exe

MD5 5b036597c51f8c476f58e3f2aa2d6fd0
SHA1 5052707d1c7db24b2f5b504f690807ff8b473691
SHA256 9a09f8093b4713c0940f2b05f49d8401a5bf406f1a4db2bc4c4c86ba681109c1
SHA512 99c60b1e00d9a74e1675c114eda6ed802849f35fc864dab14e22e228fe30ebc08720a3a17f5906707e616ff3f5d14a22d7e83357b0230a0cc3f7bf30d57c5d4a

C:\Users\Admin\AppData\Local\Temp\yWkM.ico

MD5 cb85c324348e99321fa9609bbc366cd4
SHA1 7a1a7d60fc5fe1ab6324e18170f482f04d65fd9d
SHA256 47bfbc630ae0606ed28182a560f86bbf9da0f453a94e82fd314aa7c72aaf677a
SHA512 e51f77b624201985955e6c82a078044a20baaa9f5e02ba1a0d02f00a4c95c6b8c4f615c5eb38b76801bd1838ec91451cf1e1f284dfe60b0cb9e125f728ff6a92

C:\Users\Admin\Documents\AddGroup.pptx.exe

MD5 28a9d050edd1be3f7907e4b0b91f9c5f
SHA1 c51ab00c173ab8c010726af233f428b232f039e0
SHA256 78373c0e23e018ee2808f313a7395fbab1a0c0732b9c9ee3f9ac834173fd4172
SHA512 390606dcf4f50ce2f0d78a46454e5df41e210128003caf7bd158e55f5e6eca346f861683bf1fda97b19767f6939dbe9a718f0ee02602bb201d8f4e025b1252a6

C:\Users\Admin\AppData\Local\Temp\MUAu.exe

MD5 db18c7ba79417d48301a7c4dc7a89f7a
SHA1 81fd6bd72e4b1b701b647541765319d61eb16ba6
SHA256 48cd9ab2b838e9b18d1b15639e19ebd44e4825c684f123d7953f2d164e9536f3
SHA512 5144cdc2fd2250ddd42f3853243962a83393c20ed70d47485ef94463ab36a9f57c827a34d0ed1ca4185bc21e00ca0e74926c5f95a8c6caaf1d8cd685f4230a1a

C:\Users\Admin\AppData\Local\Temp\aYwE.exe

MD5 9976bddb1355029633cc9560a0b30183
SHA1 bb04427b0456c55463797c2ac0edc8bcacd58b0e
SHA256 9fa3438a222b70e622424afc377257df5e4e0597341fdedf11705859e4fb5fea
SHA512 1568c293157e5beacf07348da106251da8d7c1437dabf4dfda430a73efcfbecbddeb946c0692ca8d35434541d9912cbf94979c80667df0df9b93b21dba2895aa

C:\Users\Admin\AppData\Local\Temp\eQEU.exe

MD5 6098ec19ffe04287f8c8aaeaf82561d9
SHA1 99e3e4271ba25727344f12f0a44c641f938451e9
SHA256 ea35c9d35f85d55353fac3027e437bfb3f3f6e36e20b511b6a5ca85c2bf8591b
SHA512 a57646362849c316829e827456f2145766ccfdef727254f90061a1c5158cdda2ca098b60fc168ae9a6598c3ae99986498e898e8b5a1cd1e6d728628e755a7f21

C:\Users\Admin\AppData\Local\Temp\sYww.exe

MD5 02ac9094a3f52269c183cf17d01dc7f3
SHA1 ab52bdf4fe9616f4c46bba8c0d8037628b8bb84b
SHA256 166e183796fccafc9b3871911ba4a19c604e71344429e8435482031199594256
SHA512 dfa299b80ce42f80580669528005e84b63facb11d25b87e75653bf901808f434b440f840712978f898007f5bf17edfedf287e6e54c44c3c246a26afed097e84b

C:\Users\Admin\Documents\ConvertToStep.pdf.exe

MD5 2bb50e1da538d07fbe20e5f6be75ccda
SHA1 69dd76edee7f1df8c9c1bc1726ce03d9d8d46d01
SHA256 18ea0f3a712db4bdd44b7928177dba8ac1d3ebfc290f690f8089daf99bb53fc9
SHA512 7d8cb9ea8013c67a2d96ba7244c6492c66c132b9487e91af17a3eda1de384f3bb55e53ea434fe9d28c2e99e84bd9daaee1d0b770fbaf52aaefdfac35449f7be4

C:\Users\Admin\Documents\DebugSet.xlsm.exe

MD5 72998704f68ab9765b9cdbca76f3f42d
SHA1 3aa0edea2694a057f524c06a471e72657cda28ae
SHA256 af5130c2b1f0ed005bd88358040e6f36e5bbacba4a6e062d2d80d7b0825c6aef
SHA512 2a1ccbbe881e68813c8c3f3f71d513581af65e86a1a80980dc6af7ddf02ce155b54ddf3291cb3cf774d6bbd0b426f24abac47c256d54b50cc8cd6d9d5bf20bea

C:\Users\Admin\AppData\Local\Temp\Wiow.ico

MD5 8e03abdaa3016247fdd755b7130384bc
SHA1 08dd2d9541e1961b06957fe9a19ce83aeff51a5d
SHA256 42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8
SHA512 e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

C:\Users\Admin\Documents\Files.docx.exe

MD5 399428d0f6cfb8d2b478bb3db1d75e65
SHA1 eed20daeb6e8b11aceb4287ca26e8d868d49df20
SHA256 4a2497c05336112177a02a16c39376e5ad1c5f797fd56e9548b12d389dcf06be
SHA512 55c4856f2d3cf3f45daad1e9cb4255075baf2b9c1c469e2723c3f4b3901321e7f6c9a11439d0912a34396145bc31419bfc21398170a1c15a1ae17f39b437e09a

C:\Users\Admin\AppData\Local\Temp\gYkM.exe

MD5 a03cc08ae989fecba261ba386c00763a
SHA1 617cc44fa7614299fb67acd2380d1383a6c1b88c
SHA256 3cdfb2d1f28880aeb6758ccf128b86a38bc04d090ac5f3dc39c82b44c0197f47
SHA512 fcfbdf78b5b07eb94ef2c54a587b53415ccd07066de29947db7913b7a6b49805cf3ce69bf45ef327b297edc430e98215d37ed3b4ed65518f09a7ac4feb483edb

C:\Users\Admin\AppData\Local\Temp\gAoS.exe

MD5 d73d63e3d3871097147ca9bc6ec84cd8
SHA1 a870ab778cf27d69bd917ebd96ba4ea4e4aa7027
SHA256 bb2c81df2df5471c494ebaeb4517c21fb97ce9a4f1bececca8ea4d1502b24fa0
SHA512 39dc35db0fb39c0f8b0353874ce9a6b3bf9ebb1e2b7a59c9299564f5fdf62d6cb6e35d67d7541fa3ffa3b9fb411b01eb3a3f7423293f1508bacc96240952b45e

C:\Users\Admin\AppData\Local\Temp\CgIG.exe

MD5 1452a81a2015e2039a8bd1e11c1c43cc
SHA1 3ca201bdff09126c5a38fecd69c00f4939479209
SHA256 b6a84f6518e3b0cb5c658cf4920e4f2e00e26ebdcfc9ff16c234612e44cf3fe6
SHA512 6c2792249cadf9ace8e89af3bdb39420e7d728b3ea67ccada49176545328412e1f5534ab39dcebaf8780b4b570297a0a885a10babccf181650d4f5222aae1924

C:\Users\Admin\AppData\Local\Temp\qAAA.exe

MD5 3629111b5cbefe4c15ed3c8e5b7f7259
SHA1 892f6152cbb79fff0713956d7a44e8cdbbd27bcc
SHA256 2093b4c4dd4029140c63ded9396b2bef5157bcefdc127c255aa001acf4efd2e7
SHA512 2c3ebdaf5f1324c36b0fb5b229c42917b05bbcc9eae235d2ff52b603ad0b121d716ffe94146a1ee4d58d469e0a517f6e17309a1478e1a40f37e11ff0450c6754

C:\Users\Admin\AppData\Local\Temp\wYca.exe

MD5 48556e5b14d5122f97dbf301702fb6b9
SHA1 f2f46d5015f1e11a8ea00f2a00748e59e10a826c
SHA256 04d3f0c7c1548a7fdc84ce16a2bc3fd8b67132afd731601ab8ad5cd0322bd6b0
SHA512 5cfe2081e460e94f07bb5af533034e24ad633e9d231be9ef786a83fd697ed8c448ffb35409436a0540dd81ab6d531e4bd8452f3bc6402d0da0d55dbfbfcb94ad

C:\Users\Admin\AppData\Local\Temp\ekwo.exe

MD5 09a8d2f60bca06f72c8b33984a8ec92d
SHA1 ada2f9e5ca21ab487be5f535be8d6763ef348e07
SHA256 7bbb610800e7844393c3e602b6be879ea3bfbc47ce59bc362da22c39b04dff07
SHA512 8ce32a93d17da558d758d782f5ce7b3a0943d5036ade1df683ee338571bec758026aed8e30f2b3694a43be83f68b04889b13b2e75a86a717530bb5aff59fd2d9

C:\Users\Admin\AppData\Local\Temp\ksYO.exe

MD5 b328ffdc1143215964ba47bb10cfd462
SHA1 5ed020c5cf8ac79e853c7a46e6faaad3d25fd95b
SHA256 9b5e84c30ed6534177257e47e414c88152b1f781cebaec9ee8a5b08d2e0f9bf7
SHA512 24a42b9606fcb413599391e0e170dbaa3aff98a87c6868e1388c055e8c3ba5686376ad4bf9249be778371b97c2e87701b7e05139eb137954dba70f2ae0e59597

C:\Users\Admin\AppData\Local\Temp\QAYG.exe

MD5 4ee1198393157b2b2530c5cc06df4500
SHA1 473700faf401615e7b567dabb808699cfb59895d
SHA256 17645df0050ded8d1b0c6afa3c3c21a067a32bfa4650d9658bfe942bda5694f5
SHA512 53f865f6ecf6647741a3874a01a7eb249a5252965546832d53989fc4db9c98774e5c856685977e8f24493f684198591d78e43c75346f7e2742331d393ab5b8df

C:\Users\Admin\AppData\Local\Temp\oAcK.exe

MD5 e9068afec1dd935535b13860006e3414
SHA1 a13dd47e21ee4433b90730887230d22bf045a433
SHA256 399baf23a8053576251e58dac3faf1862d150550593e00e48a7964775563c199
SHA512 864fb1c139eb8d24146d551813bbda67fb593c9f720163772ff5826f8474e619d6a5623e88d8f9f296fa686cb53154e7f17d13bffec324172aa6df9ffbaa3133

C:\Users\Admin\AppData\Local\Temp\yEgO.exe

MD5 b2300b6b4297d46e9a6294745a2aebba
SHA1 0e97f68c7acaa176912e34f235208707a36d7dac
SHA256 09e5a5d8ff015c87812cf56b4387b4b17963cae5b30c2beea18dda357fd8181f
SHA512 28dfeee8a8d8b3df1aaf429de8d2c65d2d61f731152ddc7007ed4e940ce33c62ba948c8f242e2370d64c5e87dfbc611f3fe1245f5daa32660731fdb1df288e29

C:\Users\Admin\AppData\Local\Temp\sEIo.exe

MD5 c8acb4e636ad5a54873d83d755522741
SHA1 afaf4014620b8435e4353d2b879f4ee3fd6640d6
SHA256 6fd3cd720adb60e4458d10ad381c8e3f983d91d14f444d7a315d2f7e0f7147a6
SHA512 9cd9bb8587611e6aed5c2bfc0eae35334b39786f0ef971717721fcefc804de8276f6627cae88479d2daafec14380176cc3d3b9050d3bf0e8864dd13ec1f3d4d2

C:\Users\Admin\AppData\Local\Temp\ksYq.exe

MD5 70db8661daee30f9f596b7e506927a26
SHA1 65aefb746eca71ec2fac38cf189eb2e06d3de441
SHA256 d63f0f05c8c3795f46f24996a605402798a5f5badd224d35d16f11692c60be64
SHA512 86f9384475188abe99ac2f8d03353c82dab02355a040a300a2cc67637e0f12f6752ff193df489b2070d6f59e25832a2e7d0ccc4ecebee13ae096234b54a8bb92

C:\Users\Admin\AppData\Local\Temp\QAcE.exe

MD5 fa80ebf00c2e2034372be4893724cb75
SHA1 d309cf5af03a4588c0fb08a0a40259ad8832b683
SHA256 8a6b0025379cbd04ac84022b8d7694bb2e59aa7297e3ce9ae0d97139e63b7aa5
SHA512 3ee58faab549f9c6c185032c07b2467b2e27cc8f00edf40a4937475d5d23bc7c0bde4855a06dc3d3bb863c5aa548cdf9431a8ad7d7500a35a8249534e692bdba

C:\Users\Admin\AppData\Local\Temp\mIAg.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\AUIw.exe

MD5 9cd8d3e4882c13f8eb47bc7f52a8b057
SHA1 2889975f362f2e09eace41887b913fa6243f2f26
SHA256 c76c6c0e8264ba8e1c65f7f9ecdaa4a4854de421bc2939f09ebb8c118e105c6e
SHA512 b11690afef04d21d1dc0320f17ddc925274c18a37bfe1d78bfc73cea222bea6a977a4ddeeb5ac7338cb25838a8a0997eaa2b20acffa71c61944eab96ac13a9a3

C:\Users\Admin\AppData\Local\Temp\wQwm.exe

MD5 0338c8c11b3220b82599ac0cdce90456
SHA1 3bb5d80a1a87c131f7d92bc75e51eec91161d6ba
SHA256 cf750efa8095146dd0575bcc60f30a195705a97cb5345915445a84cbe853018d
SHA512 068d5a6fa7ed4ad97ad5ce14a89ab345324216d7452394a7ddee256c0cc1f2967b1bee78d56068d966c200bbc73c42b27a6502ffe6d3106bc54566b8a69d243d

C:\Users\Admin\AppData\Local\Temp\GYcC.exe

MD5 e61a565a35065c91d6c18a644e7d9204
SHA1 91bb52128900d13a497e76c67cb1341d025ebc65
SHA256 b7c507d664ee6d605d2e2be92556985f23b026a31467209b69ffd4efdfc9bb63
SHA512 bd50e7e3444fd38e525592374df8e5f4e36e169c6c16d3d5434fd471f8ea42bb12fbab568ef5a426eaa6e785cd4cdb3d6c9a0ace83355248e01c1e361b2edf59

C:\Users\Admin\AppData\Local\Temp\iscu.exe

MD5 443f752ca598c1ee3821c43b38412604
SHA1 65c32625e4d0af195a0216c5bd3dbbea9a9d0c88
SHA256 0cfe234c343d7aa1739d3ed9b1092526cd9316f194be49cd0dbad15f599cba30
SHA512 a565f1510b85e9fc2bda93c18c39231b64dae983ee79063c618d236ee993260bf9a00a6d3737ddc9a8c70e3512761ad70a5ae7b42608aef8069ec146bd86510d

C:\Users\Admin\AppData\Local\Temp\kkAK.exe

MD5 1af81bf2b8bb4158edba613639c6c749
SHA1 5af179c30004ae6570e1c09b4340519fc3a08ca7
SHA256 117506b3dfe4fc5134f2a1b0f11b410463ef93d49c92b75874b75922554441e5
SHA512 f7baaf71f8a7bf93177766de59629cdd0c704874172405b88fc3d053ab84c549e52a0278a47300d108be178dd641e7804dba30d849774cd3379c0aa7961377ce

C:\Users\Admin\AppData\Local\Temp\YYYm.exe

MD5 7364d334b3a5391a1164fb0f963f3558
SHA1 b6de52a5235a98a772c8944efded8712d64c379e
SHA256 2c11af90acb2e415a20ddb08d36cf1e48a0a15bff831d78198ae849a3a83ec12
SHA512 f226ddf98301cdbc8ffb346bae71d316af3f07d2d52abff104141c51bfc123ff0b8eab9137db0591ff9ee91823914cae64b1f0e66dacd86e497dd122f349d847

C:\Users\Admin\AppData\Local\Temp\kUEy.exe

MD5 dd896f7358d7335073595b4922604725
SHA1 8924c1efca8c95614960d02e037a5cd9fd6d2029
SHA256 cde48d39c90564b70bed9a6e24e2006dcff37005bf6678c31b0234e37f903616
SHA512 79dbf39c3ed33ac7e4423c82c09b4bb37e177a9b9f316b13b7ecc9b605e810aa5b13a3c74147d2fc82dfe3187ced188624cdfa486232bda351a6b8a8ec7e4303

C:\Users\Admin\AppData\Local\Temp\IYIk.exe

MD5 0bc0e217024d9cca55dfc7b691a2947c
SHA1 efa08246025ad1fede9a2f0d368241375907bcdc
SHA256 95680a01a612797466656eb58a8976bf900ba7b228d70bc8efdbcf8d6ee9cbbb
SHA512 0af5d5de41288652e53fbb043bb05be4b50af7808b156321275471ef937aa1056c8bb0496f1a53baf3a2ecf89b96539bc8f9ab3faf5a0c428263348e05037769

C:\Users\Admin\AppData\Local\Temp\gsQA.exe

MD5 e2322da021289b69f2e5f82238e90ae5
SHA1 4048c0cfdc6caac7e1037ed1553095a1091f86ae
SHA256 58cfcbdb5b011ced06585d4cc997c9ac47c2e7e71108a8cb8d087c714d146517
SHA512 cfd1b2f70049efd2c4b54927532627be2b9afbe99653a4a84be1ff06db952b34617f5c3ab0a7b4830bb7a5444af7c3a583dae1b82b18dc09c62fbe01d14c0fcb

C:\Users\Admin\AppData\Local\Temp\yUkc.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\SUIA.exe

MD5 2cd2bb5c6c92557d9b14f5d8e2e5451d
SHA1 687c135a283732c95faa346c871e09ea14c3cad9
SHA256 b70a81026ca412b7594b082710d26792b157224ca0bb9d4b90204cafd190f3e0
SHA512 5bcce044ab0277301ad152a9a3be9ca0aaac6ec9342b917265d2beca34d892c58e9945f1c024c60416330227d91b028e99c536b2763cc252dc451969c571ce49

C:\Users\Admin\AppData\Local\Temp\igwO.exe

MD5 ab9ae3b237923098c74bd76ae4355b28
SHA1 31bca107d790ed5568fd72a6ea50479448154a17
SHA256 226c29827e3c25dd16b1f72a60f990efb1d65cdc05d2fd557487f92b1c7bc2b8
SHA512 273a0365736fd56ea2ab6590633a0e0d4f8902500d7403386abb24e522b86830433a42e70cde6399f9b3eadcb7905573a33b42e4205bba570b0466446872f7bf

C:\Users\Admin\AppData\Local\Temp\cscW.exe

MD5 8d6cb93c0a95ff0e2f5875dffe296f7d
SHA1 0fb535a63e7009800bf5aa95780b6d60bd3bc66f
SHA256 9e19162fd575584e25505788ec0d44b6c3665c15f0d2305db61cbad5734bc055
SHA512 09ed737ac860d4fcb397bdcba951e5bf5e60009cd470d9847a8ecdb4e9f269ee3d59984c99d9191e2532371150b2b8fba6f0937220d220455f1af8ec2a94613c

C:\Users\Admin\AppData\Local\Temp\WMco.exe

MD5 55975cb99af07a664609ca499c93f636
SHA1 8ce532cdd1175e4e241cf88af5a4e979657b68ce
SHA256 a66e1cb43bbab90f8ae9f0b000ee9a86b41f0dd81edc9a13c1fd8d6d0b6e6106
SHA512 5c84e968562bd6d534f8d95713d09b5b7b0e99127a4de6a71a1bc5bd2dd2fe059c3fa9fc4f7f276ea29d3529d93d0b441ea314a14132a22f60b5a407c3ca0ec0

C:\Users\Admin\AppData\Local\Temp\yckk.exe

MD5 e781c63d23530407f1e9834a7998900b
SHA1 7e95ca403ea29fbc63c2c977b0ab3e3caeac9003
SHA256 8bb8f2347348b4ae87ca8d56407b89a1502ceb8431c2f3d89c47ba698a9381ed
SHA512 6a73b89356d599701ad36ddc8c0cb44419e280ae6639664a740fae4284f975ad7fdfab88c1e2c6479ef34bcd0c5e208e7ae35d994a3890b9e53cba60e5c5cc59

C:\Users\Admin\AppData\Local\Temp\sAMK.exe

MD5 756d129f15fcc90e23b63e0fad63b188
SHA1 4161980a809bc48acfea71a7a7f7e7c037348932
SHA256 b48b4d8a93c048525b825b674ce2acd14e8ccfe46acfe4d3f342162f05bed5ad
SHA512 057f48a8082330a40f4c36a844cd5edbf1860be0a8bc97763016db3a5c008ea09b486054490b9b5d4db666d9b8be5139f08328e3c5637f6d17e1d5649aee1847

C:\Users\Admin\AppData\Local\Temp\WYgU.exe

MD5 ebd858f84373014074fbc866519324eb
SHA1 3c0ae2b41b4da295e28962fa07a764b26ccf2848
SHA256 1c2d2abec668e118d2e710d2cf79e2a988ba20330ca5ffc87faad807cd02b4b5
SHA512 b6361910f2450884e352ce5251f7782e29b0a9e2ec010cf8a2dd91888104c11b42286e0aef6513b5ab7c3e56a88b231b6cf78a62af8fc5c032a56b2b5c28da72

C:\Users\Admin\AppData\Local\Temp\OgMy.exe

MD5 638c02c0f79c7da733ac2c26894bbd9a
SHA1 3579b002c1e44b99062ecc9c17994cba6a1156c7
SHA256 cce88c7ee87bb1ab82e0d8b6d3ff1c07c8b9add77cc2174689243aa3b2994674
SHA512 3d6987facfddae282c17c48ae41ba5894a65749752ae63512fc0e9a15e03d99b3a648bb8ebd292c0d268f2d840cf2d241d35036a088bb6524e2cf70ac6f5b3b0

C:\Users\Admin\AppData\Local\Temp\sowY.exe

MD5 4f63a5a710a2125a07c1f4cf009e123e
SHA1 d7888dba60166eca42eaea9b133b2ab2d18b1607
SHA256 de3eaf15d854eef054a890bb28bae9123cbec52f18f5114fccefa90c24cadd02
SHA512 3643149d1e138e03b6c47cd6c379f2eaa48d711dc0a804d75c19be0ce7668393843662e6ff4d591240f0838d10b8a4dc68885e8a93e1d67c26915e699f5b3f8d

C:\Users\Admin\AppData\Local\Temp\WYEK.exe

MD5 94dcd910cd14a292703bb64cb3dc5caa
SHA1 9557ec03def3e7c6fab1dea5f34e93746180d37b
SHA256 5be5c92ca3ff836d6f72b336b3fb283929827be805593442f6529468709f3a6b
SHA512 6ed336b4ad4a4e8c95a5c4a4b99fab6f61bbaaa52904032ffe0b3321781d42401fe6ed18b41d432441c6455005b53b1d58c5431ef7d542c5b38fb2229043f677

C:\Users\Admin\AppData\Local\Temp\Ogks.exe

MD5 090115c1ae8a4118c9e34199bca29fa1
SHA1 dba5d69dad5c63b0c33dcfe4851b8ce7699a63ad
SHA256 9ec4466765532621f82c67e7f7b10dd18b65df5d012c6cd3ab2029990c0508f5
SHA512 5c1ab9071bd897a7174ab172f9543745950e2cbe060d4ee5dcc004072b5c5e1722d84fbe6d5472dd88456592c39ee3a54bb46b8ec91d375a198a19fb03836ce3

C:\Users\Admin\AppData\Local\Temp\uEEa.exe

MD5 6bd78135a7daad174b752b5c8a0d23e9
SHA1 71298fac0d55345c0523a278fbee05d6b532f4e2
SHA256 fdebaa771ee83b7efa69a6ac94dbde3d18ef9f55692cc4e41a60f0ad6af2c6d0
SHA512 8e84098598d02571296bde114145cb7004bec6d31af839130983c3d03e8834d6ef90668704b436962c88b9d8b50ff1c47b126e9913dc28a69bca76967de122c4

C:\Users\Admin\AppData\Local\Temp\wYsE.exe

MD5 30e89df9e03c5af6de1a51e5f0435682
SHA1 a29c0035e1c8fd08f18b33537be1ef1391f1d18e
SHA256 f4deb44e2b619667872035af9c885e0305b34d297a30c0ede35faaeec6de9f99
SHA512 6459447c846582694b1acaa04433500f727918f974309f30b43ffe1b08a9008637989c03f6e46bfdb03916a84a7858cafe2324ca4613cd00fac4ac7f17778d1a

C:\Users\Admin\AppData\Local\Temp\QkUC.exe

MD5 cabe1bd87e88e1517aa3893209346d98
SHA1 b73718d98acd5694a92ea9c727e47f89e3df8ee7
SHA256 39010a8c52f8778f2b4bfe5acc6866870e5c7fab6cd2c964fd14cc98e1b192b1
SHA512 524e459c94b7a6103c4931e2686b6ade76ee11de4cae51d5d3a294438cf86e7fedf1b09a7a6b8f2fb4c97178641d874a19a7eee91bc1daee6b5324fee7ac4ed6

C:\Users\Admin\AppData\Local\Temp\ssok.exe

MD5 87787822e877017db200ee41b0ff114f
SHA1 47a8e1fbb6f3f43a5820f3865fef7e8dfe25ff3b
SHA256 d18f544da433f6af078571f36810ea22e018281aeb4724b3b311860f68abf7eb
SHA512 fc307142f94e151d63de13efe0ee377d7c3ee6436d67772faf682a8b7d298fa90b84943a8daef59d07ef8dc5d8c415d5b44f86de89d7ad2095cef50b222ac0ef

C:\Users\Admin\AppData\Local\Temp\woQI.exe

MD5 4eb61a4d053a9dec216008b9a746046a
SHA1 1395530222a92bfbb5a6300cc9b2c8e5a48e075e
SHA256 34462f64cf0b3a91e098591dc11c07b3ae159700f9a97411ed86a61c50bea479
SHA512 6f1c32762826cb89ca87cad7b751e6c6c0c39ea14e24a818bc78ccee6e2d100861d4e1881f921a7e499b60952b5d5ee2c6be04e8f3f1aecc7456350556c162fa

C:\Users\Admin\AppData\Local\Temp\eosA.exe

MD5 07ea7f7baa4fbfadc2347bb8a9680474
SHA1 df48913b5eea3ce81bebf312915e809d641e051c
SHA256 d13571241e36cfa0bdcb88119c5f1f392f9200143a871cca227d217af264ac17
SHA512 7ec9b844759443fdcf8b94e242a9fde7c445c91e4d72c47a906322362ffd66b100d9c27a5ca4a70add772d9fe89e08d57311a9f33b81a405240a27ee36c47b10

C:\Users\Admin\AppData\Local\Temp\SgIe.exe

MD5 af449186d51b43b856122c7eb4aec8a7
SHA1 75617935deed8ac2673f25ed834e042a5a27c20e
SHA256 52b6aaf18d8375bac865fbd7793c92021cc71ebc6804dab8f0fb348b7246b1ec
SHA512 39a9799c56b6b0864c30756327409ecd9e3f83ea18689d27dc1c07b2ec141bcea6960ee5060dd2e24938fbd6a8963a0fe8c53c4282b903633b376eb912b553ff

C:\Users\Admin\AppData\Local\Temp\owEY.exe

MD5 28e970edb58de42340de4414a86a37f3
SHA1 d4359bfea0fc83e1b83203807e8f7256ec7a0d9d
SHA256 cdd9ada5e5c65bb4621275b640e0bf10c987688edded222051d83d7598f717aa
SHA512 7b5fed610676e6e66ff4769f477cf06167b3e3e5f55ce4530a11c6fa81bdefb06264b1c287a4afd6d604993edbbba018eb108eba3ad3d52f285d2d572680e00b

C:\Users\Admin\AppData\Local\Temp\ecYg.exe

MD5 fedb8b758cd927c5230678d07ea8c4e5
SHA1 49a8420187955182784a35b5365b87ee2686116f
SHA256 7bcc8e3d9855f25a8376135c42628dbb3fa56a5e0467fc64f83a5c822380e316
SHA512 31715a40c9d520df03f8ac57812447bccb9afd670724fe77d84842a445089d6fa3a6248dbbec3c821a14f2054dd2fefb9c5fe3079e72db42f62415963e55b788

C:\Users\Admin\AppData\Local\Temp\MscY.exe

MD5 617e370e5d0bd7f47edc85b254f47cfb
SHA1 386bd5413d0c9914ec7773461274ac46584821af
SHA256 8be17d9feb84d4281013816a765b6131e261ec357633c67285fabd914a606444
SHA512 7b147443aab6f464424b75bcef509da63ea129b343642a776cbce67a2d91f362f8e78fad72aee9473c9dd0278ba42da107a30ad50196ff858393c42d1403ce65

C:\Users\Admin\AppData\Local\Temp\SwEO.exe

MD5 f93d0def79b99795ef1fb0410cd9fb85
SHA1 faee73e4d0816fb33cb3a3816d637909b3bef929
SHA256 c4b3ef0c85d286833518267df99b5a5cbf025c52cff2a024313cb21fd64147c7
SHA512 7078a52263983b28b7ae4c4fb87f8dc2be60593f1bb0ce2fc9a4201e55cce1bb33fee4638d705de697265e6adf5a7156dfe50408b0047fa045b850ddd5f0df00

C:\Users\Admin\AppData\Local\Temp\EkMO.exe

MD5 10e4e2cb18ccb6f7ccdb12b0f0c1f34e
SHA1 1b2a547a392c222c54c6ec0e85ca7a4605f62a59
SHA256 7b5f602587bc73b73341c9ca367f2f8e6563de8ddac627883852527e4771b36a
SHA512 93c6b30f2795945a958e4d3162d0e9021e2af477f345dadf884b597a507b449589c11e9a3b93fbcaa904828f705903611bc5fd087bc840357adb9b4b2e85235b

C:\Users\Admin\AppData\Local\Temp\YyQQ.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\ScAU.exe

MD5 f093e6df11b774669a0c7f797885bc69
SHA1 de22930772e99ebe6a4820cfe5c39697f1d212ab
SHA256 5fa946c001dac86d5063985b4d5c9e929928d26f7dd05d628db33a2eb61367d2
SHA512 df1623a2bdd72440a6ae67fdc57df7a4ff92b404a0174d08b8830acbb200f35fbe2c84541abb29ff0b658b67aaffa28e4679c96c8ccf1bcdb0c073a6ade3cfc6

C:\Users\Admin\AppData\Local\Temp\wsAi.exe

MD5 3a1d310c1e74431c86bcb150703c834b
SHA1 1cc5820211fece03bdc71a2f5040e4742d7f4a2d
SHA256 5725fa6f70d8635f40a760cc6dfb3c3e0235d5e176a427b7f8f7cf51c3b9b914
SHA512 9303e7c890749efd7ab075151864987f30e92ba5aea25f324d4ad47b7ab5ef46fe00f108484db37d730d72f5e41ab262ddd38c56c9366a013b52c7ca424c4789

C:\Users\Admin\AppData\Local\Temp\oEEA.exe

MD5 938a4a73162c60e96fcb7833a0c39889
SHA1 25778bdccf19ed112756d45e65ffa3a543c2ce59
SHA256 c6c6ff907456694128862938da997f5b92ab4f10e10a6125ae19b2069eacb751
SHA512 e61b335ca21073983b75a471be257fe8b0a701ed212c5728ae5727b58000e6cc94580ff729ae58f9947e1301565dea5d6673f09506364ac2bdb9492ddcfb4d55

C:\Users\Admin\AppData\Local\Temp\YwgY.exe

MD5 8a0e19cd40130f83040428078166995d
SHA1 e278e0333b73afa30ded5ef0ae1f940bae179ceb
SHA256 9ed61a6d8e7f725bc30f852d2888c917c6cbacc63511368b1be931b8a460a8ca
SHA512 89ff6f61447ac5979c0d98d5508c87e0a2bf9f2a8e49c69ec5c760894b9821bf6768f0e639b1a369a33b3f0d5c640b55543a61530e93b2c1f79b5a480d8c0355

C:\Users\Admin\AppData\Local\Temp\swgs.exe

MD5 4887f9bef94593f4957d8bc789882e9e
SHA1 ac3af14c1c716e5fc3a912d33f543b1f29d3e84a
SHA256 66d3fe97e4ed422533f4b728c39330ccd95ace569e4d8ac3a5889c6c0b6543d1
SHA512 b4a98494951cc8df644c9f66aabf797b3fe0bc3164582b090f4744693a9efd8b09cb2292b0e2e2803cf660ff3563b86c28e01cc1df367c5cc3de4d83328e6ee4

C:\Users\Admin\AppData\Local\Temp\SQMy.exe

MD5 263fa57209d92f53476184132ddb8c7f
SHA1 0befb9fa59bb3a3cc1c01071edd34cf019fd271f
SHA256 2084e0ae39343312d0ca6fa535fb1b7be4e36bc2269ee40b1004de287741e4c8
SHA512 7faac7fb0a46dc5f264cc420ee3095f2f07292c1530897018964e95545f1493d21d3596837400f52bbe9be605bbcfcddc9de46869af41355811428d5235ac203

C:\Users\Admin\AppData\Local\Temp\awUS.exe

MD5 47701670a74431cb9963e846e657ad47
SHA1 f841785175aa28f4c3402045e4285eee10edb888
SHA256 45d8146b04bcdda2d0211ef768ceb1f334afb8bd131c0fa8c91363e241f254fc
SHA512 fceb9162f73481003e676ce7c9964bfd35ee228a7bfc1d3be7d9a0e7b3ae13da9ce454b42cdf695536881a0285191d7504a182e612024f05dcc129c9c56a08fc

C:\Users\Admin\AppData\Local\Temp\Oowy.exe

MD5 3ab490c21b0f175ef8b2741649692ea5
SHA1 55c3c2dd09463fb86635155295eb098f404e1189
SHA256 9a0f4dccf33cebd29b70271ba400c7092a69c9ff64cbc3f4985159be5188be7c
SHA512 943ae8825d9108e30835e31d1587adddc536e57ba431b1485f057ea3aec2a835192c8e936cd212efb39a13407299c2320e70c1b8c71499f308629ed7692d88d4

C:\Users\Admin\AppData\Local\Temp\YQUg.exe

MD5 d8206b992f647f3e01cd29bb00a5062f
SHA1 6b5aa42cdc991fa1c742ccbca4345684e5849f1d
SHA256 f67c172ba5d6ed6c05b27a897dc09a3a9d5e9e0357a2143aa197736f1014f56f
SHA512 7aa591c7a14b6d760b681857f0db9086497d86317cf9b81e25b80fa9bf40e317fadb48086e1c3e4d8422a46d005ffa589c275231e6386d3c958dc7e6f38a5c05

C:\Users\Admin\AppData\Local\Temp\ygcQ.exe

MD5 180f59d86db8e8e4d848a7404b685940
SHA1 50165adb66b87d7789b83faa663521f47c61a583
SHA256 8ef9a53c6a3ee4c44ecb60844ba39a3e1173cf03b544c85530fd6f863d224da8
SHA512 5901d8de3219dfd918159311616ccc92864e546be96d75740da8bba79ccca49163763026ed75aec198d9f612bb044f8cbc8a4cf791467ba2f3335834c422fbde

C:\Users\Admin\AppData\Local\Temp\IgMa.exe

MD5 5aba5ea8b5e542222c24d9012ac89ec0
SHA1 bc6d9a29b8e2a7f309e6ff5890a5a841effbed87
SHA256 4cb4ce02fbbb4ad47ceaa7bd59fd68dd4911d8719955d870560a628e446c2c21
SHA512 f572a355ca256b2b48ba2e6e2812ff56629ab0dcb9dac20e0410ef140c92708e6cfa97ae9f05cb132cd568b65cdbe1d62f903cb5f765fff9c66710d368454c7f

C:\Users\Admin\AppData\Local\Temp\mgYi.exe

MD5 2a8afc9d483d10d002fb6420c51758a0
SHA1 1a7d0abe39ace4b48728cb3b6dce10bc993d5134
SHA256 77019c7e0f923b0f38e2fa571c2de859b8b541d6439b473df9cddccde421c682
SHA512 3929d8d83a3bf59a1c84eca5c8779a3b76f6b03cd1300f2135d4bb74c03b5ec5c892ead35107e6ff03e782188b42901dcfc2ff0fe5e2bacebd297889059739f1

C:\Users\Admin\AppData\Local\Temp\OIkk.exe

MD5 9b86a324dbf2a823c4406e84cc2d175f
SHA1 e1e92b52062118c2234e60038ce0d9d2abe7fc45
SHA256 92a1d31e0ef2a4b2542bad743e04ca67231b48299640df2b7084896f8068e2b8
SHA512 8783dbf910da3ac54b5f59b826ccf7113087917a445639e2b24e8ba798bbcfdbca8794adc22c6f1a66fc69c6ab698b77be51b082e8c22ad537cd08a265b44ac1

C:\Users\Admin\AppData\Local\Temp\gcsw.exe

MD5 cc9fff62717ac1c5a01bcf8e5070c487
SHA1 f925c637cc098cd3bec3f29765fafa83b1ce1a98
SHA256 cd9da8ae861247a4c93176425632fb3077f3cd8c1e352aff7679e70fb4b4f312
SHA512 e37ebc8677e9b793e789238175ab0980a699fd845ec34e401c453b1ad8c7d921d75767e71748c46a6e5614821df1406fba5c154f5bf6c0e73b46433387e32e78

C:\Users\Admin\AppData\Local\Temp\EcIU.exe

MD5 553e9ae8d04c681d28f777f2f486ffeb
SHA1 a738470454cad86cd88a25952d9e5a98b2a58df1
SHA256 e5af041df4a5c39b4decfdbcf4cf580211d33b531c69d6145b3f30205771edab
SHA512 1b28b8936364ce55d132b84220b77a2637d8ee780e502aea85897dd0bc0183167160f21271e973b3e2030989c819a3d4ccfa5571a5a3414ae655d58f30a6a8d9

C:\Users\Admin\AppData\Local\Temp\UUAu.exe

MD5 ed9721541fb6d26f8291faadbbae4fa2
SHA1 1e02054beee9393938f75d45ce8227dbda2d42fb
SHA256 f7b41609894eceabfab18c3979552a6469f7e18a4ccd87d661dcf8d452521021
SHA512 86828e06f482cdd68b421155aeaef272a9c8d2b25203e288e18b154649da941b7eb2ae973b443901f51b10c042b2598c3aa5021934767d5d6fe3d0d0bebe50c6

C:\Users\Admin\AppData\Local\Temp\kEgi.exe

MD5 8b3aacdddc04cdb19ac24e1c04f8b955
SHA1 a80904588def17ac565a1ed7eaf74a0b0cc01b3e
SHA256 4add9392c8b6218937bf82e44012d82e524c96eda89b4b70b53130b4ac57bd59
SHA512 e76d65583de9e4d2064b36c65acff5c1530b6d047d57baffc641937bcec773e7240f50b3815334c87b8d8533c3557e48e65f01488e57465ba5798490cf4e9437

C:\Users\Admin\AppData\Local\Temp\ggES.exe

MD5 282d4bd3564ee42bb4e56e6d75901b38
SHA1 ef9ee30ccb5b953ab1a2110569def6ac767b71b6
SHA256 ba49c3d179c407539a43df2c9e8ac16862e0517547bb27cff9b8a37c49f3ce99
SHA512 96dd0ce946b0e6bec28ea230e2f77115fc076e0c89ee0f9a0644af8b0c54d96b9bb4bd93a581e825f9bbe337f83d6753d33dd7866c53a73b558de2fd75ec102d

C:\Users\Admin\AppData\Local\Temp\iUoc.exe

MD5 02626a4980a729169f8692485b7ae6c4
SHA1 b84ebe97ceccfe68cc612edefbefbcfe8f8447c4
SHA256 4ac761019075d3f9014c9d24fd3081dd515afa3f0af34540dd8982b6384199e0
SHA512 ae59591de08a7322ded8848879b7aafd10158321a3aa5d88f21ab9e49e7ad20d2f4e04064c3d797038bb7b95cc95d5ad731fe46dd6fc6988b7ed37c0971b441e

C:\Users\Admin\AppData\Local\Temp\gsIi.exe

MD5 e80147b4219049e30caa8abbcf33d473
SHA1 72523da99393510a79fd4e79707c995387dd429b
SHA256 a56b366072d6c5dae9df2d3d15bddb55a5a844ca528ee4207d93d817bf7137f9
SHA512 449c50e84ba796d87ad3cbfb5e5cc94371dacadd45f692098ec919a0fef558ddad4c8e2bbca779ee6be05fb2e1b434e908e51e6c0bbdab162cec422a3c0fe77b

C:\Users\Admin\AppData\Local\Temp\qogS.exe

MD5 de5b3ac6227130d6253a26f8a66a94c9
SHA1 7f3b44824a3b6909d43ac0813cbdb47ef3465c06
SHA256 eebcc283b848d0744514fceb5344723d4d5dea4fba80bcae0f68ca9baf3c7141
SHA512 79d8992ca9454222c9a55cac10494a55924b5a3e98b789049b52d832bc3cbcde875c1ca3531fb10113f5398206c8059c8ecc0bcb6e0c6d1391f587e093437a45

C:\Users\Admin\AppData\Local\Temp\AIMw.exe

MD5 c4364724e553550a7ac818ab330db76f
SHA1 df45ccb2f2015bb9d0ffef6407938819bf25659d
SHA256 c6d3de47eba68e59f095fb9d67ed68c371e683be95dcdda5cce3c82152bb02b7
SHA512 675530b353682caeaebe6493a4c737fa0994c7c95a26c787613cc9ba0b9081030c87f476ebb20003bb3a9f25e588d5e634d457faa2786926e025ce3b0b537e09

C:\Users\Admin\AppData\Local\Temp\MQMO.exe

MD5 a84eebb115d06c72d37f32179112f2ea
SHA1 64491abb5ba4dbe998d73618d51941df9b10a954
SHA256 3224deb7005df390fdfc96e56cd82cc98cc4960f7a274bbfd6547f64dcb7ea78
SHA512 e61b86e54f8e7d9494857546467121890ebbc6ae4d169dbe21f6b578ad23c3ee19a06cadaacb5e2323894bd4d77bf2ccbe398638e27502088d69b5652308f914

C:\Users\Admin\AppData\Local\Temp\oUsA.exe

MD5 7f711c6e68737a8044a9994a84a4beda
SHA1 e7c2fcceee6cc923a6eab227deb0fbcb42b8ca38
SHA256 31fa94e9889b4d0c1ac7ee50952369f30706742105d416919fa562ccf7bca1be
SHA512 4d52a2b67a8064ed5c10aff0d7dcbf0a45dd6e07a3563288a3c74151817f14fc11b8b573a9b0e66e9bd9295bf1c9785ce9aab326454192e4d9048392d181b0f3

C:\Users\Admin\AppData\Local\Temp\goUu.exe

MD5 fa13ec54b55e16ec059cf3bf234c5e84
SHA1 5327d15c3133bf9f9c4cfb2e49030ecf5b1bdfaf
SHA256 679bd9d893a4e25880864a768548c7a53d731ab386c71db2674274a782019f36
SHA512 e213857c1ca8ff3ba8a0c91b6eb16ccbd4d5cd783facbe6f9293f5b05e2a31bc5a9d8232019c89a3ab390dd93ccea48b5fd0bf3723cc54c9fd746b7199574f49

C:\Users\Admin\AppData\Local\Temp\wMYq.exe

MD5 c0fa2a5cdb4d4417e6d927b62e5855a0
SHA1 72b41a1901b444837bf252f83d5ff38eb72342ad
SHA256 4cf1f8587db5e1d851d8d2c8ed8bf28520b971d40cf74f2a261e59a3ad3b658c
SHA512 e5f866f0f0db13a042a503abc4352917c9a36408d966274f72aa7e28f6163a9b2bf64a31e58b2625b57995eec6089a51786718ad0e87964089fc835071063553

C:\Users\Admin\AppData\Local\Temp\SYkS.exe

MD5 2cbbc8b0e727c0b9559e0167c07c9614
SHA1 4d987915018c265752a26c1a7640fd6702675dd4
SHA256 f696343d25a8398b336f93a4a01b3fe2b2f1f9293a0655da19172c2e402f01b3
SHA512 70a8393eba88513a80b73ad24de130f06c94bce030a1e0364abd1c57312653ea0ddf744ae6396f620d7b514f98da3515d3959c3a29c14a7daf68c8499fce79d8

C:\Users\Admin\AppData\Local\Temp\qUIo.exe

MD5 8848ea370e4c0ea73c2734e542126215
SHA1 7791b5030183dd796f0fc05da090eac02b9c5e07
SHA256 a9d6cff72b868c1e02e47a00c2390a22d25b721c907130fd20e6ea4d72b73eec
SHA512 b55a8c340fc1fe938c5bef00e53bc24356031ebb71d31d5fbc8b72a0874859b1819e8b31e7132a489dc39a8aeb0a0d40488c69722c603afcb3238c52ef7451c5

C:\Users\Admin\AppData\Local\Temp\wIYa.exe

MD5 0092ef053572a427a152421cecf06870
SHA1 da68be00848433a903de8f6d6628fef54c49e7cf
SHA256 3bdbe69bea813620cda4dd329dbe10a2d047870bde00c256504f10ac74562a0f
SHA512 5356e04d3b3ec3ff7d67ef52e08c34c3d2a56de3c3e310786f3b34358bf4f0a67f815435dc9c3f16aeaa0bcae09882c6d8f0793c899ebaf63af61b15c16ee559

C:\Users\Admin\AppData\Local\Temp\Ckom.exe

MD5 e74ba6630ec20dd67d166c1b401715d0
SHA1 55a9e6c8cf8875d714f6a75fe7d2feaed04a79be
SHA256 4b774195adabe33434bae793fc1e65cd1a6edab381c3ee0e20cbdd2c4d4e7b85
SHA512 ab262965ab2c1ee823d3767a6b1350c2ef4102565e8a6ac367c8705f543d11932a0e14b0bf765ece311968ba9cefb4bf93b42e9797ece85a49bdb3a54a0e8172

C:\Users\Admin\AppData\Local\Temp\sQIK.exe

MD5 48d96b5efb326b299705b7ea2560b678
SHA1 889bf23d61f9cf5cfa80c5bb220478177e2cb885
SHA256 96e89079309df81f7d4997c8e86a5d867b93f23ef1a0f614bdd4c3e3d79159a0
SHA512 e2fb659904b32ece7e18a812055fe48a67e33d3a04abc88aaf280b32218d70cb4e92321ed6a87a1c18bdae6ee2c91e709e7ddc50ba4e6da6d3a508f4e27bbfca

C:\Users\Admin\AppData\Local\Temp\qQMQ.exe

MD5 affeb12ae555a9a840edcb831073cabc
SHA1 31504e9cd42ab8670f7120bce697725004f24585
SHA256 0db04ec962c64edeffe820ad11ade9a2e8be729fcadbf7c49dcbf5b152aa9135
SHA512 40622fe739e3a29671d92bb806adacbce8ddda29940061859bfcdd5d632806d6c185b7f489eb5367abf26d0d102ce4e55af6cec1addddfd2384ee64fa8591a0c

memory/2036-3289-0x0000000000400000-0x00000000005C1000-memory.dmp

memory/2580-3290-0x0000000000400000-0x00000000005C1000-memory.dmp

memory/2756-3291-0x0000000000400000-0x00000000005C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:21

Reported

2024-06-14 01:24

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (70) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\DOkMoAEA\PyIkwogs.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\reQIQgcw\bwowcoQk.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HowsssQA.exe = "C:\\ProgramData\\OcwsAwEU\\HowsssQA.exe" C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PyIkwogs.exe = "C:\\Users\\Admin\\DOkMoAEA\\PyIkwogs.exe" C:\Users\Admin\DOkMoAEA\PyIkwogs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HowsssQA.exe = "C:\\ProgramData\\OcwsAwEU\\HowsssQA.exe" C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HowsssQA.exe = "C:\\ProgramData\\OcwsAwEU\\HowsssQA.exe" C:\ProgramData\reQIQgcw\bwowcoQk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PyIkwogs.exe = "C:\\Users\\Admin\\DOkMoAEA\\PyIkwogs.exe" C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\DOkMoAEA\PyIkwogs C:\ProgramData\reQIQgcw\bwowcoQk.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\DOkMoAEA C:\ProgramData\reQIQgcw\bwowcoQk.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A
N/A N/A C:\ProgramData\OcwsAwEU\HowsssQA.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 788 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Users\Admin\DOkMoAEA\PyIkwogs.exe
PID 788 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Users\Admin\DOkMoAEA\PyIkwogs.exe
PID 788 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Users\Admin\DOkMoAEA\PyIkwogs.exe
PID 788 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\ProgramData\OcwsAwEU\HowsssQA.exe
PID 788 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\ProgramData\OcwsAwEU\HowsssQA.exe
PID 788 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\ProgramData\OcwsAwEU\HowsssQA.exe
PID 788 wrote to memory of 5200 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 788 wrote to memory of 5200 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 788 wrote to memory of 5200 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 5200 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe
PID 5200 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe
PID 5200 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe
PID 788 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 788 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 788 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 788 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 788 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 788 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 788 wrote to memory of 5504 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 788 wrote to memory of 5504 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 788 wrote to memory of 5504 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 788 wrote to memory of 5612 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 788 wrote to memory of 5612 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 788 wrote to memory of 5612 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 5612 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5612 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5612 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1028 wrote to memory of 5244 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 5244 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 5244 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 5244 wrote to memory of 5396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe
PID 5244 wrote to memory of 5396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe
PID 5244 wrote to memory of 5396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe
PID 1028 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1028 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1028 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1028 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1028 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1028 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1028 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1028 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1028 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 1028 wrote to memory of 5304 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 5304 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 5304 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 5304 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5304 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5304 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 5396 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 5396 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 5396 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe
PID 1688 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe
PID 1688 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe
PID 5396 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 5396 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 5396 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 5396 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 5396 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 5396 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 5396 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 5396 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 5396 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\reg.exe
PID 5396 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

"C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe"

C:\Users\Admin\DOkMoAEA\PyIkwogs.exe

"C:\Users\Admin\DOkMoAEA\PyIkwogs.exe"

C:\ProgramData\OcwsAwEU\HowsssQA.exe

"C:\ProgramData\OcwsAwEU\HowsssQA.exe"

C:\ProgramData\reQIQgcw\bwowcoQk.exe

C:\ProgramData\reQIQgcw\bwowcoQk.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIQQUYkc.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WyggQAcs.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcMEskAg.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQMQwQok.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkwEsUgM.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fIUgQoco.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYQwoYMc.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQAwAUcE.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seQEwQkE.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKYQAMkA.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daYwcUEI.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEcoAkUk.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSQAgwUk.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\esQUUYIc.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkUYksEI.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caQUcAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciIMwQYo.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsQMQsIk.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqYkMgsI.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwAIkYIs.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OmsoYkws.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecQUYQoE.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMMAkMsE.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zuIYoQss.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUosoQck.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUsYwUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leIMgsQo.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ggkswcQY.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgIAUAgg.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkssosAQ.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zwgowgsw.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkAAkYgE.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIMkAoMI.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fuQwwgYM.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwUEYoEU.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcAMgccQ.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEAIgAgw.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiwMsYMw.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGQUcQos.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqYssMEU.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyMokggA.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igIsogcM.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSEwkEkY.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jioAwkUA.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSQgcMEs.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkEEcgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUkAMwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKosMIMA.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FewYQwMc.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VswEQYYY.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcQsIIMI.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIEcwAMY.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wikQEIMo.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYYcgIUs.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSYYIgsY.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEgsQEgs.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqsYskEM.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUkMEQII.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGAQMoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwkkQsUY.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mikccQcA.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGAQUkcQ.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hckYYksk.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOMwkkAM.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SascksgY.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqIcYYkY.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQksIwQs.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iugsMgks.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ViIYYYUM.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmYcUoIo.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv sXuyYL6RUEK/NKSg1VYxSw.0.1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEYIcAwY.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wUcccocE.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGwsgcAQ.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwwEwIgw.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkwcYcgM.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VyQgsQMM.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmIMEEsA.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKAwgsQM.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwAckMIw.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksokckMM.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIoIAgIk.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWswggoo.bat" "C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 89.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
GB 142.250.178.14:80 google.com tcp
GB 142.250.178.14:80 google.com tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/788-0-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/788-1-0x0000000002210000-0x0000000002230000-memory.dmp

C:\Users\Admin\DOkMoAEA\PyIkwogs.exe

MD5 0033ab4422b0b650eb03fb765478021c
SHA1 747641144b87e20fc777eff6f904b91cf91a523b
SHA256 943f207a0dce0472538615de18171284ba2853d379b9fe2ab816b1d8f4a685c3
SHA512 e7442abbdfef434e9aa049209265bde32d0c41fde5cabf560aa0dc7aefbaf8d12503128de576496e5101038154070124af3eb00cea5dc4fc375a583d0cf73414

memory/3584-10-0x0000000000400000-0x00000000005C1000-memory.dmp

C:\ProgramData\OcwsAwEU\HowsssQA.exe

MD5 3f80ca43f626722bb9c5a977e728b625
SHA1 0b2ea7746b3abfd62d8afebdcec0fcfa449e9446
SHA256 fdb1d0835d2e92435c04326eb0589fef5b320542cd89a54fc6b5f40e1772ca98
SHA512 4c2df522a5e9ca9f053c414458d1ec98e781431d372d89efc243e6817b8890d16d8bb8a2ef0bbfc89cf9fb63f45e2541d6ae856b4e503b9f11c63901e454c74d

C:\ProgramData\reQIQgcw\bwowcoQk.exe

MD5 5e5646ce0cb49785255aad9d5d598cfb
SHA1 6ec38335a90371d25f28a16bbabb8698edd2f215
SHA256 59d4019f61b83d65cad310f0c5c637748504477612b194cbcf6673983d0bb809
SHA512 f6d0d3837cee6626cc91c87f4918778d43aa46757d3f8b4bbeb2da1a868086a8813c03a59e3d5f259f43244ff9eb39a8c286b255d15018a6cb963fe95944dbad

memory/5012-18-0x0000000000400000-0x00000000005C1000-memory.dmp

memory/1560-14-0x0000000000400000-0x00000000005C1000-memory.dmp

memory/788-27-0x0000000002210000-0x0000000002230000-memory.dmp

memory/788-26-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/1028-25-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yIQQUYkc.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\903144a5c838df81e04bd0267e1b8184e67840b0992efb570ddcd45c3799cae1

MD5 070cf6787aa56fbdaa1b2fd98708c34c
SHA1 fb662cbd45033e03f65e0f278f44f4206a3c4293
SHA256 e073f22bff5d22fdbf3665855d2f979d300c4e28421a7edf5d616dd92c71580f
SHA512 93adca8cd47db7fd07d1bb0834c92ef0460d86975ee17276573223eb378d3cc7bc8324c0cd62c024664159b0320501d37bbc97d266a40ed2a51fb3e8e163ba52

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/5396-38-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/1028-39-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/5396-50-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/2392-51-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/3528-62-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/2392-63-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/3528-73-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/5340-74-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/3768-86-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/5340-87-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/3768-98-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/3100-106-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/1772-110-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/3100-122-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/5756-118-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/5648-130-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/5756-134-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/3232-142-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/5648-146-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/3232-157-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/544-168-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/4180-169-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/3020-176-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/544-180-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/3020-193-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/4964-192-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/3788-201-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/4964-205-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/5200-213-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/3788-217-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/5264-225-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/5200-229-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/5264-240-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/5676-241-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/5976-249-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/5676-253-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/1400-259-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/5976-263-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/3916-268-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/1400-272-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QsoI.exe

MD5 4df8090f4cf33b0e61745443780679e9
SHA1 e46f5b6b3060b4b7101b2e68a64bb9ed0d43a62c
SHA256 8ede6c98eccaf25337493838f3b538457a451daa6ac7aa88d5e6dc324e732d6f
SHA512 fbead7a45d903d431ec273080f6feb197ffc9d1acebf4af4a857bdafb5fcca080ce435138ef34abfff968e65ac0d81397037758382a4a6fa08c434366ed3ae7e

memory/3916-295-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ossG.exe

MD5 6053f737398fbb8b0f1709926de12122
SHA1 70c54c12da3c26c50b4abb5f3544078d99765408
SHA256 fc615ba12622b709310c036151a15bb04b7ac864bae4c57fac383a764ad86c06
SHA512 137e82d4665ba81b6e061421992576c00eb39d6feaeeff2eb288f3ba11c6e6aaed8f34e4291e76e5e37725b35050b397c74ab7597e6f3a43d6c889b81d0d62c8

C:\Users\Admin\AppData\Local\Temp\OkYa.exe

MD5 06c52d402ea90c972ea522a1248e56cc
SHA1 d450eea2d936179e976081219e96351063f25849
SHA256 997544153995da334c683c83c468d2f6d27d45b48664e4b51bbff170f305467a
SHA512 da83def6f480b00748ad87807ba70c2d9cc3c76000112a5cd61920336e74f89d7571287fa84fd6275fac9a00326f1c1f9c579d167cbf650ed967d2dff32ad290

memory/4860-343-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sgMy.exe

MD5 a216ae61bebc497b3e24485039a2ba2a
SHA1 50ff285861adeccf250ce89ebbc8d386604dc443
SHA256 e269c5a620ef5c5fcba6535bfb67c1f42c3c63ca2e1fea6b3245ac2f06e50d13
SHA512 8ff077255db5fd45a7a2edba5edabc3c905257eb7e4c5b5e8162488e3f6ac176532bba5f831a7545e2ebfc1190f75cdc69e574f8c044fd9e22d1578452254d0a

C:\Users\Admin\AppData\Local\Temp\qmYY.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\AskW.exe

MD5 25e4b794744c708039ee1500717136d1
SHA1 c8af004593a4f8c0ef1d0f36741ce3c3b576df0d
SHA256 f850431d1a843a7896cba722943aafc10ae75447954dc28f9f8d071d30ee58fc
SHA512 4202040df09f084583c59210b9f038692d329a86e7ba256b443edf893064c827aac53e0abd9bbb4b7fc35a6a45c6bbd7e694aaece278158eec9c5d5f36fe1548

C:\Users\Admin\AppData\Local\Temp\Wkcu.exe

MD5 394524fa60d42ec0a40fc9b33931f84c
SHA1 9b758d809ffa72a49fbc6f19700766dc8c0ea494
SHA256 9bfa237953d1ec02c1b0325a4d6196a0d0e422ffc19e0e259d819f48cea8cc99
SHA512 355ad095a00de913100cc4b11b238332ef4a273c13cd7e3c5653a122c4983a99e007f0cfa2dc2affd0f00d264d77744317f8a84dd7af0b94dc21325f76ce51e5

memory/5392-377-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/4860-382-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EckO.exe

MD5 341611af2c2b422f709f6750fe2dc390
SHA1 2673a00c73058dbc595e55697926c14c3664bc19
SHA256 c26b17a195e8c0e9c37e4ddd22907f932b26d4258cabc55b964b71fc6c186368
SHA512 189b9bc84e5bc583a1db825493cf33e2d2253f7d2107e852515fd74b5d67659c47451bbc31ccbfc363a90f7e67551a83848337ad6cf42197c9b94fb8a21fd890

C:\ProgramData\dIoU.txt

MD5 ccc17b64839af925f62b85721d3388e1
SHA1 64dad4a3e212e186f4fb96f182d427f6f1c93a0e
SHA256 c56d839221d79822462865490e9d186577c218389049400db8fee8de12256848
SHA512 be1cf90734f7f0b2dd5a6ffd7f4b1ccca671c85b83bcd6d2eeac4ee40ee34c6c6fc4110131a98548d3fe15a121bfa10bfbd8d81419a446ea044008df63c468ad

C:\Users\Admin\AppData\Local\Temp\CYQi.exe

MD5 0a73d5b871f72b1adc6134990e8b739d
SHA1 d22b0e0efbbac4afe36b2fa70ec0bdec01d0c712
SHA256 78c9383f0ce48ea6f7ac9a37254e7068a9c9dcf975ab854ea688868c7c5909a3
SHA512 57a8a4d1cc206cc6c21505c5f37d592189915df5d73c5e5aee42d7a74b7219e9b0f27327f9fda6baae418770d900b492b5fc92c32484716b5186c622c7c904a8

C:\Users\Admin\AppData\Local\Temp\CUMA.exe

MD5 4ed12faf5d865f78d3335591ab1edaeb
SHA1 d877146218fdb4d6774f7b78e904890f66c0c416
SHA256 a23ce4a9ba460e3ca1fb608426baeb76b8b777733767e936e04052bd306152b2
SHA512 ae5aa4bddddf77166004c56ba6923998896f1b0d0f11e6781ddfad57c8c061c10a47810d57c58e2bc0a393accde070f50f9fd10fd293b5f919f98ab628cf8245

memory/5392-450-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wAQW.exe

MD5 ffc6f9c55e001a73ebc96378fdd1f2ae
SHA1 976c22064e721a44d70b9cb0be6898f512f3b5e7
SHA256 b70c0f65efe5221a8170a34c727cdfb14b5ca030d80a53cdb9422c9e458e2fb0
SHA512 6572adfdbc8977da457c0c35934bbf348ea52cfe40363db3023d21fd8d1b7f7ac5c32956c82655e75a75c44af1f373f492ec6246cb1808078c96b3609f8889f3

C:\Users\Admin\AppData\Local\Temp\UQck.exe

MD5 a8b82d000d06f3396b0c63a1a74ad41e
SHA1 7b44c10993d603ad5d06af11c7060353eb633800
SHA256 4098b41c1a17fd919a68f65838faf3f649f3f088849bc13995f86aaa46117ab6
SHA512 827582a0e685e5aebfed0ee934eeb49f21cd7a77936cf8c30049bc95dcb2b6256f62d85ea7b60a46ccc92f010124ad338bac8744022d0ae54274337c5c13e561

C:\Users\Admin\AppData\Local\Temp\aMQg.exe

MD5 7adf2e81cb319c6a8c0e1883ed2bb914
SHA1 2c2ceed179486afd1f508f7bdda8e25356c72259
SHA256 b4491fbad0e1274319d7c0df4ac077bf1bbb8e9732b0c0627c3803eeb49fe215
SHA512 caa8e4ce51542888d4cc4b324ddc7b1712b6ba4a0e82286e357e85421251d23e2be3ab90bce614a9c0d8cbe688adf548c8295d64543b2818e3502f8dae32737c

C:\Users\Admin\AppData\Local\Temp\aEgS.exe

MD5 b4ea998a23dc4d93a013a85e50fe6d97
SHA1 7bdb60bd84b135ebb17faaf1c1f27b586f3b0a88
SHA256 cf1b1baffe5f743ab1289a15bb331316a1680b08cde16988078b146a2fceabfb
SHA512 a7458eecd0f0d784f138a536a1c5e012a4b096d49885adf3078d4592d8302660c4f7ffc91016def4cf37894402dc8b29d3725e3bacfce613b02ca7e79da66f32

memory/3784-485-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eaUs.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\OsUq.exe

MD5 7edc63cf467beee371ff113e62534a19
SHA1 3c82954ef06bad0c99a0009f977ee3624d1c21b9
SHA256 1fe9c011cf06fda915c8a2da10ee01545c6794635cf79e22319c1b5077768d78
SHA512 cfa7ed0453392cd2b43636fb61a6131428bcbd272a4478bc9240c11470b4e535cd2240b7c422a782079b7dd18196c4905b9e0031f80eb3cbff9913c1e9aa8a71

C:\Users\Admin\AppData\Local\Temp\GIUQ.exe

MD5 be2dbe1ea7c45ada70a200ad998aa8db
SHA1 1c887cb94b189eea6b1f4d781fec2440a2b7f429
SHA256 d2d6328ca2b7e4e5a7909627be6653cbd4f97931a4a9cf57ce327ff4835bfcec
SHA512 2e2128be8be69257c2c93662500e9fff3f1af07cb4e136afd73e859e583d8db821e782d74ebec13352c25e49cbe3b6eed63e0eaea455906fae934943e2e9c57e

memory/3784-534-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qEca.exe

MD5 748be15867d48a9674d4244f4c580508
SHA1 fce887fb99849b1823f9e5b36f74aa4b17b70858
SHA256 85f5f2b568c49ac3a48cf5b37cfb4edf6afc0b5998e82cb7473481cc70bba14d
SHA512 a781f0c962eaf4920761366b64429d561283198c469616194fac771303d0cc91853445520bbd228300f0c2fe0d2d597cd0986811c0199d3faa7f9546536360fe

C:\Users\Admin\AppData\Local\Temp\KYAW.exe

MD5 eac131fffe9c83406ec166ffc730fe52
SHA1 8136effef2e170b2b057433b5bfb8c8e7f312eef
SHA256 71b821c881f71042ece6ed80d04333ac397934752229098fecf3ca7be79d550b
SHA512 c21ebc82e2692e226e0d4b5a10451e35d132f812f53f0bce576476517e56e34dcd5a492452616435a4846aa8bc8b0dd4b40cb778a8f889f2b8f52d825f78d277

C:\Users\Admin\AppData\Local\Temp\icwe.exe

MD5 5f00f9275b2dd1a5d43dd68c1e27d079
SHA1 56a8f0c53a503ffd3c1b11eda3e6406d060e2e1b
SHA256 d4209d8ed3efc9cfcdee37c7a96354651dcbe09c2709df1381d664c03813ee3f
SHA512 6219ecf517f2e3e159f5a2a3bad60344fca5e8b8051a709567e5180629e16f904f92d5831a5dead3a165288acfec80d4d814d09fd25506decf6765b78e957cdc

memory/1648-575-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GoQc.exe

MD5 7bae2168b4bec7f77e7942ddc1115528
SHA1 c411831f5444072791e8899723efdc484dba46c9
SHA256 b3a18ad47462f5d44fc6678aa898570961fb4df2490f0c619ba68a320f91e509
SHA512 d888d02383f3ab66b5b1724687f65aba9193eb4f8d916153f4d345f822aa9dc8344594d241d9a9c20d2a4c80c5532e1de839570fbb9479c561dd9b9c7bfc670b

C:\Users\Admin\AppData\Local\Temp\kwEe.exe

MD5 9f10dcee8cd825583c732bb30c595013
SHA1 86532edd6539e4d60fe0cf7dad15b8e91ca868b3
SHA256 dcf372c3eb7d3b21fb112ba0f2303d1607a7caf6761808108bce0b063de98794
SHA512 ab6be29e61b6eb289c9104fc0e433ff2bd389123afbc4a38b96e4e74b6e757a8934732f4fcd12d5845157d165bffb0dfee72bc1310eb805b80a10d298e3a4151

memory/1648-622-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WEoQ.exe

MD5 ecb672aa1881dcbe993c83cf91c5b497
SHA1 347621ed1d4cfa10c14186c67ecad11dab3ceecf
SHA256 1dec10635889d706df1ac2654b66bb25b664fd48ca74f0d4dfe293a6893c52c9
SHA512 75891b87dc9a8cc88dbc7615329d115e79607678dae9e910be0e3b92516b29eb8ef5367136de61d49e7791c71bd8bbb64d957e0e479023466592847e335cc5c4

memory/2848-648-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KUUg.exe

MD5 26207ba9643d3ce4c7676f2874ae9242
SHA1 71e0bfe653d294f84e665f83f6c786897845ff4f
SHA256 a8ddf18cff5975cfa1144a6d6576fb8795b9c69038e5857f623ef70f08528a9b
SHA512 09dd38b89d8f2bdbb36c0f6117131cb88cbe4e0321eec1206665f80a6f40bec86378027cb811f693099aa1fea55cf88c6a64e559d6afd66c5b1a9636f95cf3b6

C:\Users\Admin\AppData\Local\Temp\SkMk.exe

MD5 6863b1639521d4c1feffc902a8c80456
SHA1 597269d3c2f9a083a0314b2f7910c5b59206464e
SHA256 d6cd04256a011329c95262df0a18f2347211b883564582fc2a29ffce6c349f39
SHA512 91b0fc8b22d27ca504df6e44313b0462229de596f90bc732eb210cd3e1e1386a52273ed234337b40031f053ae24f32d56979c4745889df6bafbd7d5a671d616a

memory/4860-687-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SIMe.exe

MD5 a1d83afe24ee216ddb7a3fa96f58df96
SHA1 ef80531af960bad7c61ae246c375e113b4795211
SHA256 5ba6df2ac2b8aaadba7629f193cfd26d01584b2402fb8cb5b87f1c818b01cbee
SHA512 f1eacab28a5814dc1786d082e8805ca8552fe2e27f080c6dde26affcb06afab515482f031484c4cc3849d87b24309a18a155e5b69623a96b76de2479ff0bcf2a

memory/2848-676-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WkUY.exe

MD5 466bd4c99a8d24b7264848e05e6fa8ec
SHA1 1d9f027fa34be8d71d4378d13d00725b4f5f35ba
SHA256 0060671155226a8cd26bb389801b44f055836452b766a9b00fa4ff51de5306e3
SHA512 0740ebd2bfc41e615508aa0c042b9cf443975ebcac5de64cf5abe4a4e29c2b685a9021c68cc2efa3289f8b3b07da00d860064a08ebf8106f9fc3faf3019a1cd4

C:\Users\Admin\AppData\Local\Temp\GQoM.exe

MD5 174f6d4e0738dd64b635ca436296ee82
SHA1 63ed0ffdb2da451d364fc62d524ff28a5ec7d8a5
SHA256 35fff83c918010a1551d2fef340000d819886aef733995cda0116a21cdae84be
SHA512 6e92bca05bd0066782c434de1412b80241d9b7f1d13cb34d4827221139d681f1a09fad9d422ddd94fe94571ae72c9e445ecf32dd8a7c747f9446db29487fb343

memory/4860-724-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

MD5 b1fdfc7e1d885ad4641819c9b8571ebb
SHA1 fc117f6facf9d00a9f80f350d3a9a93d362cba46
SHA256 741c46bedd65b7bc9e2d3e95d757046481b12e89a247f55052471610c958f767
SHA512 913b53ecd11b99b543d5f506f95fb36f3edd81625bd3cff9710f89c3aa703d0e84dab48838cef80a577873b3a59e8fd4659bb664deef9fbc69487e5237b0a2c6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe

MD5 9fd695e24db663a0888c477f65ae5b46
SHA1 a1f179943c29cba6de63b585c9a7845404e80d2e
SHA256 d739a50c412a67fb7d93e0732b6e72aff2748d8a06489706a02f3bd4f3b487d3
SHA512 80ca39e30e20d46c95e53b08ab51d3f14ad41fdb1c9428dbfb2d43e61de5b0cc179e1832114703d9f30d4591a1e35b8b1ff5e055374a9328cf21c8caa7d45eec

C:\Users\Admin\AppData\Local\Temp\CAsm.exe

MD5 79db62b2cf0eb659d976f6d03d70ba79
SHA1 5b7ba581f6301b4f7aa98b83afddffd522fd7f75
SHA256 8494f5eabd613f51a0c127e14f951a7e898d5e06e835dd0c024821545d777532
SHA512 df7c635c7259a11521898eb03d751ebdc48b28fd91431c5950f07356f55a6a6c016770cb5ba7b4ba9906830e2eae724b05c1dfb6a5eefe13ae74304798a708f7

C:\Users\Admin\AppData\Local\Temp\ywgI.exe

MD5 3dd863f4b6c50588bce8a18d3fead8d4
SHA1 3b87ae820e39ee8812d4988df56006a96ea752a8
SHA256 85aa170db5a991b814378d9b6a70890186cf6296d1b683cc92846cde4db503b7
SHA512 0b69896f2ded2e3d6db18e20c4e72e040b0efbb02b05ca5694b2103fd1de0559b477b0b8f4a3a1eabfcc7be021a1ae90e6a79595a0da80bdadd7aabc41966544

C:\Users\Admin\AppData\Local\Temp\mMYE.exe

MD5 4b4b2322773f199fee369e13df32fd96
SHA1 1bc27db1d433c1dbd67d2398688589ec0755afa3
SHA256 b41bc8f3f05db724747cd4c642704708f4484d5b0ac256666999dc6e032901c0
SHA512 652e6e937343e07a0fb658cc6d16e0ddbe54267fae1aaeef16049e0cae5c5243c6b5b2acb66ade0efa559c43cd35cf7b9df3f3fd01447314c73b4c92fba31042

C:\Users\Admin\AppData\Local\Temp\Sowy.exe

MD5 a1ecc04fdfb0427cea588f2b2235d703
SHA1 c967fe73ad515d03e8f55acb2ac2983f49705336
SHA256 b7c0e187a52c243733c8dfefd46959b2053a52573f3b65dfc71acf6d68277c41
SHA512 09ec946d0d2a476c5f55d91a2617ffea980f50113de873ed1c3b03d8081c53736f2e4f717fd1e542cf4af494591d524988394d6d9320ea2d450259500905e5e4

C:\Users\Admin\AppData\Local\Temp\QsEQ.exe

MD5 2a5dbef23ae12887005d48b8c56d9a14
SHA1 a03091b03e6f2656cd479d269100cfbdbabf982f
SHA256 2cdf3a75b1e626a729c36c6f7f4e587b604f8970c046dd4b0ad677ebc95b14cf
SHA512 6bc3e4f62188944e79b9fbd03bd917b8ca8bf7a4c410118b3e4281a9ac4afc23fa17503815c9dce7c6f8196c82f413e7cf9cb4918813a1da535965d1ede28ab3

C:\Users\Admin\AppData\Local\Temp\GksI.exe

MD5 31028e6d9b358fdaa3c30f06906fce97
SHA1 170daca5c25d837a4cd681e3647a304e23d83762
SHA256 de18fc9bd1381782b588cfe6e3e13d7530a23b9e288a4735d72d6078bb47857b
SHA512 321067787480e18a1b2ba30af52345d354cd64357eb9ea3936f608c5ac799e59d1d850b9ddf76f8418c7ef808e180792afc1aac6d4cf0099c36e39d254fec412

memory/3604-864-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GMos.exe

MD5 9fca12527c3dc99d341d56dfb23503fc
SHA1 e037d71a8f92c7349949953b2cff43fc1ee66495
SHA256 f64a940df7bcc14bd788fb30321a9edabd6740d2d12a3d7a321a1a7bf4b70665
SHA512 96cd293788a3431f22d1061bfee1a27fff9d9ef1771b2c6d8c621e13abd8bfec11a86940655390c51427906375d08e7a2493fee513f668052ce9585901f2e783

memory/5484-858-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eIQK.exe

MD5 9668941256dc534ca659d950a2504fe7
SHA1 8004937442a5406f04c1df0e4276d80a12eb83c1
SHA256 99590ee5839848e34f7ee0f38530b5941eb5d3aa59bc6e345c7a6bbcbfcba28b
SHA512 86bba89e1f57b51bc2ddb5de7d2c39f7a4fff77c2e65fe231a52543f56ab28ed46f158e9f2277146d144bc9c734269494d4ce8832c2a0b63ba2f649768b7d108

C:\Users\Admin\AppData\Local\Temp\kQkE.exe

MD5 c6064d5b98623f8e75528dc79b238e88
SHA1 1a447c0b5176df827d9b718e012177b055bdd602
SHA256 24744e8c300c82f926ac0e032c51f715af664b7a5cf2f86651b7b1305c774de5
SHA512 346a4da16ab8a445904c9fd880cabdcadf0079c612ad003a7123abd9398974027c4cb737080ab39de1a4900973947e4ac2da96e3af30cb85b7e79653bf8a8f03

C:\Users\Admin\AppData\Local\Temp\uoMa.exe

MD5 1b61999c910c301259a9bafdd64be96e
SHA1 c2341325a24e3337704a0d1d41b03ff2153299d2
SHA256 f42912cf9cf020d02f2308908ed097a0f112ff5e33c69fda7ef9cc3b4ff9000c
SHA512 e29174290bb10840e227f5f1baa7aec5efbfaffa8fc48603f44f5f0dc87fbba7c4968a955e7791571505becaafd3c81fc667c58cf8927ce936820616949506d8

memory/3604-954-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AwIc.exe

MD5 25e8031f5b2daaf54f8282c271451283
SHA1 2edbb45a6adf933c92c567cf0137bf902a37581c
SHA256 29968d55867b91be8d04ed277044485d4fde8baa84d8232f415252d7889cbacb
SHA512 874ebfd8a2a7f732bed2d8793982592ccad766293d6fed64628e9fdbc0f925cd2a294fa9d79cf0b567bbcee51756ea4567727b55e6528bfdb212f338b0d53b1e

memory/4376-938-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EQUE.exe

MD5 1d4f7dede7295037e3ba052c9a20a8ef
SHA1 38d9c2c8fcb2ccb1c4cd3d032ea1c14cd59dd259
SHA256 f6722d3ef30f8837b53c82d185aa4859fa2daa2719a6a69a41ec5655f16c9741
SHA512 771f65e5acc47306daeb82d340c813b23a293e77094344a9eca495ee1fbe3715d40eb1fce094e6c8f29f66c03b85a121d70169ce6b745651922dd4c52bf07ed7

C:\Users\Admin\AppData\Local\Temp\kYUQ.exe

MD5 2055ce95a2ab61f4201254fe4ae93d47
SHA1 ec62fc46898a0ba33595e28876a94f06fb3abe3f
SHA256 b217a6eaf527806ae2664706ac00ea0475d4bfe85dbfe5af683a689eadf3a489
SHA512 c2cf712d44635cabf52530ce1de395e80cfd48be94f862f41be42c018fda0e4853a02cfac3e49509a3f6b1b2c8cc9b07cfceb6e8095384195ef4dbd08899fa47

memory/4376-977-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uIAC.exe

MD5 f93b8b3bede78ce8894b301396d96a56
SHA1 de6d2531d162d87029f96aa414b4d85e96275739
SHA256 46e84fba964df0651c16bf03d11e8b581496b33cd52b0912d351f7bcff89c1ca
SHA512 78b65378667256cc4887370f3c30150fd2897be62c0fbfeac9b7afe45acf06a09bee5f2ec8f769a2808450479d4509eb1961eb5f51c4b477f81e947e15b61444

C:\Users\Admin\AppData\Local\Temp\esEO.exe

MD5 9fb9c4f66a081485e17a4311e76f7220
SHA1 3418b3a36ecab9c4ff30485b6f248870c095d452
SHA256 e7bef69e82871908f879325814732818aae76073f86e5a34b1c1253f7ffe20f1
SHA512 577ad5ec2a302bb289c7538081e3e919b2ffdb5c880da3967809f48bc84619aaf5d0904c9267dc8e8dc20b87d4a7bee25fa62c639459377c7d6f9f8e5bebafaf

C:\Users\Admin\AppData\Local\Temp\CIww.exe

MD5 138fa27827207b667a0de0ef95473fb5
SHA1 7907937c9f352d6b1b03052fc8614a7733e0263a
SHA256 e253a658eb5b54fb65bf75a7b83bc6b7b0d718c26c0a22150aca91221a939547
SHA512 bf2d4e6867929acee5165638c809de519da2d6687702a263f4d2e48c8abff0b88df9afd3724a1fd0baf3faa5d15b014859c865334531185109b13ddfd2f2ef2c

C:\Users\Admin\AppData\Local\Temp\mIIc.exe

MD5 2f3dfe14bec03a19aacbc961a64e55f2
SHA1 e62d47aaf664be2adcd78837783b4d5aecc39e0e
SHA256 e6168cbbf240e77c120184298043381db1260c889fa3b3270260ca4070cc30b5
SHA512 0a65f283d129ed180b118c0cdd3fff8ee14c192448910ab38e4d1c9704daa5dca9719dffc355e821eb8bfc19edcbedd38f0facbe3fdb72ccb31203b93dada493

C:\Users\Admin\AppData\Local\Temp\mcgA.exe

MD5 225b902d9a37810f3f2f64c7fa46bfa7
SHA1 9febbd9d9477f62446f2986564409f0adcac2393
SHA256 2a30bc488f4bda7b4ebd42a005a52b3accf3c23d6f09042905d6f043d3752bdb
SHA512 033a614abb847282413d736621cebcaf62a8b5a1dc66174b7fcfb275c30a84514aa6e686a56ff0982dfb318af1d1a027567f6b6452f5e0a8ff38bb697c490aba

memory/4980-1049-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AYoc.exe

MD5 f4de579592b0581641d542dab8c544a4
SHA1 1a3570b463f3aac4026cfdd19e8224c5e0f24fde
SHA256 586574496706c51d49454f92e2de2da6f7c1aa5f1c12403704c6264ea6fbd31f
SHA512 188699209af794369189217d6c45a3f54c1eca53bb68129f3c6f779976a32383ec7381268fda4df4853cbb9fbc0c45da25bda56cfb6b999dba4309911ec97217

C:\Users\Admin\AppData\Local\Temp\KgEw.exe

MD5 2cabf5d094226ab8bb4a1067edec8655
SHA1 a6e40f36991b34d01d129a22026deba8584f21b7
SHA256 2005001303a3934b1d233aeee23a15881ca2f84598423c95a781820f22c33eb9
SHA512 646e07cba17b168d11b403e19bef25bde8700cae67458b1ca800faf2c9ac1de6c65acc898219570234278eb7b730fde1cd5c990f1d67d6ec0c9a0e3a944366be

memory/5492-1106-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Owww.exe

MD5 60bbb2d7d0cc8eb681db9f078850f9a8
SHA1 4677090128cf76ac955737af7c5c48aa321962c8
SHA256 9e9feac16b4d7dbcfe35e8f8dbb8539287a2af1b74161d0f06563077fc5ba99e
SHA512 23487911901d447a32d9d077acfe591254c7fa9b03734763ae50ed677b8c5f957e00434a7a9a6eed7751b9b4a64be7b3170d3afc9018e0e140d9df6169ae6dac

C:\Users\Admin\AppData\Local\Temp\Ucou.exe

MD5 dc26e509916262717e902974ffd3f73b
SHA1 306385c1931eed15c1cebf1bb3e2071ab8a8532b
SHA256 a3ae4bc3d49519dee8f4f765f1ee53dad3d1547d35e136274fc4bfeed720bfee
SHA512 ea7fff2f284ab789421649652373c0dac160cdc8932079bc0a180457582fda3d95278e37a42dfadf590479d18085053bfcec2dee7999b8067ad7b4bf5d4336ac

C:\Users\Admin\AppData\Local\Temp\SsAM.exe

MD5 8231b7ef67519d55ad02f317dacd72c5
SHA1 de8cafbd4b7dda9eaaa0a34ad9c3194c367f3e18
SHA256 4131155a495d7c4281b0a76686a45064e18590f158dea81cbe79446588adac48
SHA512 2cc2b4e0a53326ec63bf2f004767a3f206b87660384d7ae0951fb129655f5527537c914e22143cd3a641d09358d0f94e568f6d3636489bb5a0e13b0c394d8f02

memory/2732-1144-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KQsa.exe

MD5 6d571d86603ede4360b82ebf86dbece7
SHA1 b703ad3e930a60b533e5e31def67a343b0ace8db
SHA256 e1f5a254d87c7a6aa76e4e6ab08a6e65f92837238ff7f3402d877bb5a3aa0cda
SHA512 eb2bcd748ed10bd6277ace9a828f5d5df6b2c7a7df4aaff81a84f68ad596d97deee48d8c64a0f13840d77e2afe2ff163c84bf79b3bdbd7353d72a3c8a33fcb1d

memory/5492-1159-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oIYC.exe

MD5 87f3cd2696988f10f9e7ef1f0596cf63
SHA1 8fd65c56555695b182c648d07ef48f1b62c3916c
SHA256 3706fcae00c0be3bc60e968de2ebbcf129c2fa745da05a9aa65fa2f59419db87
SHA512 6707bc7a9ec8e7f7a9a0f897fcc1fbf3e49121f18dd748b8e4efbfacc752ad641b70c3ca86531dad370df3fb5f769aa2eca5d1dd0ebe92d0243c62ac9e3a05b2

C:\Users\Admin\AppData\Local\Temp\wwcs.exe

MD5 7027296eb2f5f53593077314563076cf
SHA1 6e0145baa0981e3f391e19aadb0fc34ef4fc0cd0
SHA256 27c718ca905666de1bfd7689c8238c61a031d6e94f121b603453d7700f14541b
SHA512 3c351d88efb307d36464a3925ee90a9207d10be2a65c53371d83a8ecb574dd090e45b53a5142c417bda6efc2dbf801ba6eddfde9cf72c720359f1486e47d8b73

C:\Users\Admin\AppData\Local\Temp\QYUa.exe

MD5 24f9ea55d7c03e0028294cdebeb7cace
SHA1 689e0a0d7dbc80894c79f02dbd8bde4419fbaf38
SHA256 62911b8c27a9608e6b0a5fe4e8c9256fa32c4fed5b7e8582a57e9f0d36152fc5
SHA512 2c87a9096a175cd41f4c31df999ffbbe4a6fe257d4b305fac933da491c6614604035596f1c70d1969a5df2795ad72a05cc3a4e2f7a88bbbd04e08055b11375a3

memory/2732-1211-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EsUI.exe

MD5 4a2563cf6ab1d7b525bae9447167f1e1
SHA1 a43061aaf02bd3f33811a39fc5d3da7b2f868250
SHA256 e187a20d6b951a7bfce3d48e43025bbab3c719f925c83e2f9e0eda8df49c8368
SHA512 d5943b8ac8da253956fa6b1149ef2189385950b9b0dcbd22a936db65a9343eebdf3bd7aa7e23c315d7df5783c1eb36aab496c92b157d68bbbdd4ff9a16a90f31

memory/628-1243-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Swsm.exe

MD5 3e6773466fb2da4357d5864a0c741b21
SHA1 2e6a3022f4497512c89d7d16e1427a8290f3132e
SHA256 9ceaa6d88f64c2e6d8fd551df550c90a58ef002b9d4252aed0e590b925a9c8f3
SHA512 f71e1c078e51e9de41130a2810864cbf1818fb20d8cc99f280a5e4112685f0c5ad0a9f4941ee453e85350e53de847785bacf046f0666e9623e48f16bc5094f4e

C:\Users\Admin\AppData\Local\Temp\moEQ.exe

MD5 688208bb5eee4dbfcc357bf9a8027501
SHA1 07a19ddb2ec4a69057203282fa01ed54c630e4a7
SHA256 ed335090695f703d2651767d6a0f9fcf83ed0b37989c12d51d573d156f445a2d
SHA512 378f637e9d6f543c9bb1ec9de7ad36b78935907caa37dfde261c7ee83bcc8c44b75ff4b0fd1dec886416ec222974b000a6fe7fcdaae82de7244585b0de736989

C:\Users\Admin\AppData\Local\Temp\GwUi.exe

MD5 c573c235ac178a4333feb4272fd72e88
SHA1 47c038e1d74293beda54989aea28a23b40f41418
SHA256 9f2af28d5d898b13f062b3bb69074ace5d61fa1c1c1f362bea68c3ac59a0e884
SHA512 02c4bec2d81bc7ce7f69c7c1faa964b29c91fefeabdc28e7d3a5075f27944442618145c353210c571348e1291e540285c87f8d1e29d9e807a5896bf18a5b41fd

memory/628-1297-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kYAU.exe

MD5 f84144224825f2786753c2ff5d628fe0
SHA1 418ca0960dfd4a24e7ca4bdec5f7d78a9fdc9e34
SHA256 b80f92410e862c414e356be86edd3fa48e6768414c0ccc1b01a94b40a26417eb
SHA512 34b122987c60970a53095bf0bbe8b73e6ffe8cc88519712d0a3ce5ff9b7b66880117da8d5ff75c560a4c3e66d8e21479311480ad3f76a2bccae68b9dfe72eae5

C:\Users\Admin\AppData\Local\Temp\UYwI.exe

MD5 5afa8927294f83fe8d898fb616fe1793
SHA1 fc35837a9eff16388e130ea5f979b1a24b19f1a6
SHA256 a6416ca32ca2c4f4bde3463803b9b6cdf1a038fee8e77d7e25ff3ad653123454
SHA512 a2c7d0b9746cf0830793b052921b0becb01227f9b19ca4c9672d52b9b7e74941af21eae080c4f2141b4ca5e7a6fe5a003ba4d6993d29ffe3c9b79fc5a29ab12c

memory/2880-1313-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mMUe.exe

MD5 c75ee7f991f27b3abe78591e93692f6b
SHA1 69e488154515718da8cacc0476f350fe99cd21c7
SHA256 2b69a96daddafa24acf6115ac6b45f4b0219bcc8190f88ee7502a27d4ccc55a5
SHA512 dd96cde1d346bb55278367bcb32ff08984b854a86235be824469d9ad1164176b69d4efb1aef9f6e840d3cb3d7f57b4271cd493dd134185121fde95576d0aa1b4

memory/2880-1365-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\goEW.exe

MD5 543a2ab02e1a286ffabc0fb1a6a355c5
SHA1 e11955efcab2620bdd7d69d4c6bfc9d207c213b0
SHA256 b1d7665caf09928ee2f67d6c77dcc3be4264dc07808e06ab0e535cdfb9f6d715
SHA512 7208adcb94c25c81ebbc729fc3e8c27fc5eb8361fa42210cdaf152bdb8622a0a4d0190f1256e63c259f186c5b2d4346f4bc8a380756d93c2ce2574e37e7f6381

C:\Users\Admin\AppData\Local\Temp\yIME.exe

MD5 3ca68bb7e6ec773251a94cd8f0cbe7c7
SHA1 f3b373cef48876c15a1ecbe2d10dc59a9d441699
SHA256 15be1cd80cff2c7a73bccd00a032527cb18eccea1ce7d6a7a779436bb13a39df
SHA512 b261d0a60484ecbe149dd89056248ea0791a4b3eb510b948476afb9499ec42bc4538e8667fda4ce9046e21dcb51badbc6b8debe7b455a48046bf2440d52ab68c

C:\Users\Admin\AppData\Local\Temp\uEAU.exe

MD5 d119f3feee4cef705bd9f96560984e30
SHA1 e1fbb051b5b363d89a200a48ea38cb8536ab9d15
SHA256 24ef6055ee6ee0edea25873c9b0c38b337105b6c9b1a6aaa901f7d04594008c0
SHA512 985776edabfb922e4ddbcb128701f7f96f958c3f063e3bbaa248d8f4153eb2463736c050181ea1690141c14b4ecca9936747f60424b17ad941247a74908e2b36

C:\Users\Admin\AppData\Local\Temp\kosG.exe

MD5 1523e668dc3fd6d999d94b1487d7c6e8
SHA1 d3a64be981e7de8abd7882a2a9fc3ac13a76f75c
SHA256 362c5644e75da6917e17ff9195232e7c8c544f9a8994f817b72e201f0eb2b199
SHA512 60c1d43c9a03e6c91a63bd43ce9b5a20d232d5745812150797798675cb997f1d9434a18b435a5cc576962daf32ef3611ffe70e9b33531ff2d68b0f4110c7bb59

C:\Users\Admin\AppData\Local\Temp\qcII.exe

MD5 d0c69bd78ce44bbc9195492397c45bc5
SHA1 a149fc4f18bf802ebb092502f0400421af30a82d
SHA256 d03cfac29f1cd4be1c5101ea09cc767cab51e62127ade4b96feff87c2b4e13a5
SHA512 66b64e6a69627a052aecf02dfb28930fd29107ec6f72392ea846b2b8836d4303327bf520e581b2276c76b54e15d83072d90a4e680372976359c44ead8ce7f3bf

C:\Users\Admin\AppData\Local\Temp\QkAY.exe

MD5 a497baab6d0bed1039a4147a133888c6
SHA1 1c977a7b831e48cbc918a162aebec53b1e2956c1
SHA256 e467fb420869bc6a536dc3c951fe6c1c846b63cb46b2a7a2c9039042dde37db6
SHA512 4dc30f6a24f685e2925d18394e25241b929ef8caef1c79c476cc94921eda8df29b9dd21717f309c4b6e6104b3caa20bd15062e9a089892688250048ba7c05710

memory/4880-1441-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AmAk.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\wMUM.exe

MD5 fc770eb7a0d0a3bb3c7e3d2eb5a43100
SHA1 ea52b814801a63983c04d5e3203eda549d3fc4fc
SHA256 cd2237a2b0d24ca0e1fded07c14baf7b2f4fd4bbbd844e966f15a37fbc2d21de
SHA512 c4753125edbb901c131345a861e290e76cd720f6579807c237ccc40adadde2e43b1bdb0cae20985e7d94a715377e0aea3b3eb479ad03dddcb18a24def2c7add1

C:\Users\Admin\AppData\Local\Temp\gYwy.exe

MD5 81ab43cbe349a775c60c1432d8d931ec
SHA1 52084496c303d538835cbeec351da683cc3b85b5
SHA256 e289b9f4e9c8c2776902a574b253f80b156b2cdf5f1144ba67fab3d3ff38e346
SHA512 16da7bd836d0474f62b24ddd33c4af3619b6da1b0bdaaa8816e03ecb3f25007576b5c32397f95a21b5e9b0d25aa57d41e920eab95cdfbc5da394b9b951304365

C:\Users\Admin\AppData\Local\Temp\CIos.exe

MD5 fec0b1c807814a9468287f6dd36c3b12
SHA1 3d4739bee426bc389efb6a47f15075bdb5eac00a
SHA256 c2fb11f7e2baef46ff1621a86ce2d76d7a1d9574778654021c5fe95849d5eabe
SHA512 6a7938d7291a107c6d642606c06aa66e0b564ed019c47bf22208ae065435e22611613990b1f6706bbb258948e4ac6a30670e1602ce76edc777d48c55b9b79140

memory/4484-1490-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IsYS.exe

MD5 df2ebadf6624d3f7754a3b3aa932cb5d
SHA1 c3454d8bf69b562214da15c40e31f6d44a5e7765
SHA256 82ec1aadaae61ecc9c987086cd681827bf10a8b5da99bd3687112b25c0781f4c
SHA512 7ed3a6280e2f8deee48b8272bada713f2c017ae1dc77ba984def19aa485f92ba7b510476991b16449b18294887075d8c6edb1e911237cd41754eb700afc262a5

memory/4880-1482-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\igYE.exe

MD5 be4ec3c979819b347f43de3c3d4e238b
SHA1 9e142c76779067dba9ce8fc9e613bedccecdae3b
SHA256 59c6fa22aaf4fcb73d7c0ad7146fbc72e1360afb66920bc27c9dd1c30fb0c9b7
SHA512 7b748bef8c8f3af861b937af4aa9a427258eaaf67329a75a99ac4eaa101e53fb38b8c25ee66067eedcacb0891e256e7cae30f7c125485d418a1de7eaaefd1b6d

C:\Users\Admin\AppData\Local\Temp\aAQq.exe

MD5 47f380db37f03e7ecc4366002a73ea47
SHA1 1b72bd1146f0f2288e052a5961ccb1339d9d1c53
SHA256 0a261e0b5e04a4d4a5c2f2e5fb2352a264a727d4b7a35721941e515c5ff6acf8
SHA512 7f5fb6f7df954fc65ec3fa78d28adeed4cf18107a3599bde89c1c088698019bc80eadd895ffad97ea2bed2913bda8537a4bf23ad2ba5b44fb8d98c58993e20ca

C:\Users\Admin\AppData\Local\Temp\ecoS.exe

MD5 3a7517596c436294991eac32065f606f
SHA1 4b772968a2e33b1fcdf9dd81c9fa0f51c113ec1c
SHA256 d2080c98c2cc85b57576dd047fe6d87a3a8d962aef4a40500e3a698ef64b6ded
SHA512 b8f334720ab8622a391b30672f3242bba3b669d7f329516cd5978ab9361adbb1debb0d6b9b2ef156a11e3e6fdbba0dc1fdcb9e77891806518d256d624087cf4d

memory/4484-1564-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/2608-1558-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ksEo.exe

MD5 c842d04b70b8788d7890d05fc4949e5a
SHA1 cd90bbf232d63a0826cfe9e8a374516acac0e903
SHA256 06d74ac9b53ad00019d40a6cfe3c918570095a05ab9fe3c55db797045e9cd88b
SHA512 11b7fb5a42326f54d1985374f0d3fd9fc74d043f53ef1ee115c5e6b1467a0524a7c90faff5d0376167ec463258a50981da07528d5018b284c467ad271c2bc4a2

C:\Users\Admin\AppData\Local\Temp\cwQA.exe

MD5 e29e60a796392422649bca497ebd2cee
SHA1 2383c9064b63eae8133c246379e7a09dd9a38886
SHA256 e494136feb7d95f1f0de45a4b5b2c737ded3277b977114e99b1110bea53ffde0
SHA512 d79b4bea52f641287a0b84c9bed77ebbd780e192f1cb55bff9b45f756f19864948252d245e5f2b6f8580de9a8a85fd114c1ee139e86863131fd69416f6d77ff3

C:\Users\Admin\AppData\Local\Temp\Icci.exe

MD5 ea5bf5efdd3411cf7c5bdd596b98f7c3
SHA1 ba7dfb6066c07ccf06f6a4b1cfd185ff9ac59ebf
SHA256 cbfb419cbc79a11013567b7ee091f4c645fcd691f2c8226ecb0cc384ff26a5de
SHA512 dd2952dc282c78d584e1e69d43abc75e558653f988a4588dd8d856c4c2736efc7ef25cbc70a10f138a2276b0c0f97e869d2c00e368daaad7a01a5eb3e981d332

memory/2608-1587-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aQoO.exe

MD5 c347b8eb03cf24a4279124d620cc8968
SHA1 e1c67c1d7f4b95c50a8ed40840ebc0fd1de7dd3c
SHA256 518b3a56d5e0d28491edf0b5534f31b6474b2949dd3ce70cb77ae01c18113100
SHA512 8df0a169e03071c68731b271087fee9a4cb9d6be8f1ab54f71ec239dab37f03d8a3f5484e56fb05830bd28b644c2e18aaf9a3ba02cabd038fa41380ce2caacbb

C:\Users\Admin\AppData\Local\Temp\iogW.exe

MD5 8786ef478e2c8b7c1d540ac928ae2398
SHA1 f00b2f8143748f1964abeafb6aeb5adf2038bea5
SHA256 56f5fe1b15fb3e10a4a1d2a643f496e24d1addc11cd070ebabeadbd2b875e8cf
SHA512 c0e17139a2fddf3ee873323eb6333d4f0f355c4b54317e0031f50f27460d013cd8509e369a96622993ef8c0abbbaf62cd722cc9d0d2873cb7919612a9adf4954

C:\Users\Admin\AppData\Local\Temp\WMoa.exe

MD5 2ffe7bc3b4eb6a1e83bbc6a82a7238af
SHA1 182e4c1931092c21057aa544f9f6330a5cdd1287
SHA256 9dfd61b8f16a5fc6218af381bb4a0c3b9375531b7e77454f5047c1a32d1bd57e
SHA512 ae87b026588c74272508513b86254769e3783fd5f3d56f6de4e38013b624207a68a379c35bba09560551d74a2b813b93496d2dfda66e765b0d05ab6441e8724e

C:\Users\Admin\AppData\Local\Temp\Ycsg.exe

MD5 b2dcbaafc7d3d28d7afce6aa13b9eb3e
SHA1 af9c01f304c8e06172d61220ce1ae0ec00c4ba33
SHA256 ad1578a3414f495744cc9c63931fdf37f1f12ea98461c3ba3799800883c62beb
SHA512 7ee69d2e6dc746a22e3adc4ced52c46106cab303f8a2652dec22120c4be48d2babd7ac5c242cfa86a33753e59ff4b127dbb8a15787b6af58a071dcbf3c2c195c

memory/632-1691-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Roaming\MountBlock.png.exe

MD5 7be334a0e39e1d1ffdb66f14fa08e52e
SHA1 dac32c86de86509105adb1a6536c00cfd6b2ae66
SHA256 3f2e043431c3842c363c97808ecb803a9f24c9654f18e2f3fcc0d1a57a2790c7
SHA512 16d864bc233f3ab826ebf4b3f2e60aa4e8d64a701521f7e94f30cb7b9aeb1fc1e5af76b62eaf82bdee128f4aa54d3166508bf641c30dc6019c4091d2ee0bf9fe

C:\Users\Admin\AppData\Local\Temp\EcIA.exe

MD5 4411578848a8909b9cbb514a046b3153
SHA1 5fb7902cc3ab249fd0994ee06b0c43aa5c3f2a22
SHA256 1a0f675ec8df0ebc14f06a915f47da1b4dedfbbea893a3061b423be7afc4704c
SHA512 95251e4c60ccf791f40f8b22d37d77ca3cfd5d01e4059e60b6e2525af527000e1514ecb59f3787a76a868eeff929a130d0d9d2a55734b67c49378c666789f475

memory/4516-1683-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KgEA.exe

MD5 b3523b8b889bc418ab04f8c81d9acf61
SHA1 caa3cea6e6ffe8cef19c43b1d798d115b9d7e969
SHA256 05bd355e6b0a8d93b47f8e7bb2a0cf5bbd684e0d38ce1488d2885e71ef294f82
SHA512 9fbc2e5dd98ad1a429b926f6e99ac25e43d4549632b46deffd17dcdf2e04d1f75db485e3368510a9f012d0c896116b0b661b90ca3d81bc3ada714b0ff619fca5

C:\Users\Admin\AppData\Local\Temp\yYMa.exe

MD5 340cff0489f8ef77bba4cf6d03df8da5
SHA1 668f6e4b9b5e49be1885d4b03f5064bd0e733403
SHA256 59d980df5988970dedc51842966ca1ac2d55cce6bf8adebb225071d7481d7c23
SHA512 e9ff44635e4390517ae87a1ae237cfa64ff813123153a8b86b54901d6b18596acf605b43225d4e124af7a8e3839cfd37483fc642feac8193c81d9d42182d69fe

C:\Users\Admin\AppData\Local\Temp\YkIW.exe

MD5 11a042e1340d47f5c3713499f5f14b08
SHA1 6efd161d045f4948999d9f872554abd1bc85c6cd
SHA256 7ff5d94c02f67ea9592ea3b2b7d8d03c3d6fab35a77c1bcc9ad68dbd3fb04746
SHA512 e30f9987868162b7cdb42729500223f8652bcf93135b01ae8d3bec00cef66446e70fcb97c235bd06e936074ee96b521c36fde12eb2572235d9c4c0f873b80141

memory/4516-1755-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GwYS.exe

MD5 3f4c9a97d90fb2f0e146face77bb2bf6
SHA1 036f835fd81d089e1c7e5581d989eb171676e0ee
SHA256 527e15ce49979049325328c00c04f506f60fcddde58222ca6feb515949a70fc0
SHA512 16c5b87d57c800286330f919024ef34d5eab5ed8d0326bd267a8980717d6cc81a2e5e7f687642f3759643a46a38f2f2845eefc52e0dcae79423813c87fc24260

memory/668-1770-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/668-1778-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/5972-1786-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/640-1787-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/4532-1792-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/5972-1796-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/4268-1801-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/4532-1805-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/4268-1813-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/4444-1821-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/5128-1822-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/1556-1828-0x0000000000400000-0x00000000005D6000-memory.dmp