Malware Analysis Report

2025-01-22 19:54

Sample ID 241016-z3zs3swhlm
Target 5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c
SHA256 5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

Threat Level: Known bad

The file 5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (60) files with added filename extension

Renames multiple (52) files with added filename extension

Reads user/profile data of web browsers

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 21:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 21:15

Reported

2024-10-16 21:17

Platform

win7-20240903-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (60) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\VQYMYoYQ\bSMgMoUo.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\dEUIMoIU\YiQQIAsc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\bSMgMoUo.exe = "C:\\Users\\Admin\\VQYMYoYQ\\bSMgMoUo.exe" C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BwQUQIIs.exe = "C:\\ProgramData\\hoYMgUAk\\BwQUQIIs.exe" C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BwQUQIIs.exe = "C:\\ProgramData\\hoYMgUAk\\BwQUQIIs.exe" C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\bSMgMoUo.exe = "C:\\Users\\Admin\\VQYMYoYQ\\bSMgMoUo.exe" C:\Users\Admin\VQYMYoYQ\bSMgMoUo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BwQUQIIs.exe = "C:\\ProgramData\\hoYMgUAk\\BwQUQIIs.exe" C:\ProgramData\dEUIMoIU\YiQQIAsc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\VQYMYoYQ C:\ProgramData\dEUIMoIU\YiQQIAsc.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\VQYMYoYQ\bSMgMoUo C:\ProgramData\dEUIMoIU\YiQQIAsc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A
N/A N/A C:\ProgramData\hoYMgUAk\BwQUQIIs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Users\Admin\VQYMYoYQ\bSMgMoUo.exe
PID 1684 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Users\Admin\VQYMYoYQ\bSMgMoUo.exe
PID 1684 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Users\Admin\VQYMYoYQ\bSMgMoUo.exe
PID 1684 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Users\Admin\VQYMYoYQ\bSMgMoUo.exe
PID 1684 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\ProgramData\hoYMgUAk\BwQUQIIs.exe
PID 1684 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\ProgramData\hoYMgUAk\BwQUQIIs.exe
PID 1684 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\ProgramData\hoYMgUAk\BwQUQIIs.exe
PID 1684 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\ProgramData\hoYMgUAk\BwQUQIIs.exe
PID 1684 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 2640 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 2640 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 2640 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 1684 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 1684 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 1684 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 1684 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 1684 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 1684 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 1684 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 1684 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 1684 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 1684 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 1684 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 1684 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3036 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 2508 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 2508 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 2508 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 3036 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3036 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3036 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3036 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3036 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3036 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3036 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3036 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3036 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3036 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3036 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3036 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3036 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 332 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 332 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 332 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 332 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2568 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 2456 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 2456 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 2456 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

"C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe"

C:\Users\Admin\VQYMYoYQ\bSMgMoUo.exe

"C:\Users\Admin\VQYMYoYQ\bSMgMoUo.exe"

C:\ProgramData\hoYMgUAk\BwQUQIIs.exe

"C:\ProgramData\hoYMgUAk\BwQUQIIs.exe"

C:\ProgramData\dEUIMoIU\YiQQIAsc.exe

C:\ProgramData\dEUIMoIU\YiQQIAsc.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zosYMAkU.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fSgsQkQI.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yMgQEMcE.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\myIoskkY.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EksksIsg.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kukwIMgo.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWcIcsAE.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NEgoEoYs.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jOsMQAYc.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LkMYUQkA.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vusEYooE.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CKkcsoAk.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uucwwEkw.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IwcUUcAA.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KmEcIEsU.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IIYgYIck.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nQcAMkII.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XeIYgIAg.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fCAsQQAM.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pugQMksY.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vYkIQccg.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SyEgQYoY.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gosMIEUk.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AgEUIkcg.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qmQkEcoU.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\REUUcgAM.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FGsIoosA.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\luQMkAwU.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SYcgEwcU.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "8747098441692699728-1429107180-17376993421231526445-742778161-656209005722826835"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ucIsYYMU.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\accIYkko.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AEIIAEwE.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RWEIsQAY.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XecMEgkc.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1743884421-1033766154-1550328997-589571185-441762670930072109-1453532173-1294506207"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUwQgAsU.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "213560221114001470601032518616148037381145328108678521411561106727-13986796"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IuwUwQsU.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YSscAgYA.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NqgckggQ.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lwscgkMg.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\faQYYYII.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "10469718981095906090760727791-588748358-1407571819-1291714504431453972-1208300918"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ogMoAoko.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "317903892-1589382480-1918947526-565607699-45964556718698203716688692251909655917"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "183893182968212870469523466-175672518969965721427046999-1253479360-1811337269"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UyIUsQIo.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2105483079-682508538-97586886-15007314082173713711797890990641524580-1927219948"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CoMAgsQw.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YyQwYgQw.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2044922471688703781-657549108-2089816811-701326510-16978802051365980692461511140"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1399259651-1346650312-10318281691450704058-3177382131911798650-2015643036461146080"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RqkgYkMM.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "920993105-908720040-1210082388-6595686-324904330-84252373712611092611309530207"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\baIMkgkw.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "14089996576560871761028145253-820675873806544918-1557110946-18348195521766156927"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vUoAUEkg.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "438639347-1975283138-172291391518390736568865468-3332735861064301714-1388109437"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rkUckQQw.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YIIYgkwQ.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aScgUAAU.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "14639988881886909097-5182908041313304150-1814458760-11531002559696516572043118683"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.169.46:80 google.com tcp
GB 172.217.169.46:80 google.com tcp
GB 172.217.169.46:80 google.com tcp
GB 172.217.169.46:80 google.com tcp

Files

memory/1684-0-0x0000000000401000-0x000000000046B000-memory.dmp

\Users\Admin\VQYMYoYQ\bSMgMoUo.exe

MD5 9c57b036a9134f871822fc2513dfe596
SHA1 a8166c10c6b5d37c16a559c268ba9c9e117bd9a7
SHA256 df7eadc003b41a0bcf04404ace5aab9d171e833264005c8de95c688b2611e658
SHA512 e0676ad2dba8f8e01d01dc70376037fcca2fd19697b7e11e40eabc0cb279844b2cfae62964ba305b6b70694200e5cd4b7802ea68060d5ecfdb2819eced5e396f

memory/2912-10-0x0000000000400000-0x000000000046F000-memory.dmp

\ProgramData\hoYMgUAk\BwQUQIIs.exe

MD5 39232cb42fddee472cd11b9c931124ea
SHA1 0d2812a1f6aebd7ba2ece7f41ce17a34bcfb93da
SHA256 214df5420263ffe87663d1423f1733525d82f053fd64b2f0cd57f67728494f85
SHA512 33ad2faabb38eec350597b4252a2b335b1e5c8a97fd764c4151ecdabf350c0d55d3c6d88183e4819ecc5d0599e107a1aa4ffe842021b55e573b126771ae302f4

C:\ProgramData\dEUIMoIU\YiQQIAsc.exe

MD5 ac9632f446033791c848e3c46748b080
SHA1 cb7a3c19f448b83ad5c4b53c67b622731cf1479c
SHA256 180d10edc7a4b2b1db17a155cbd8511f851a2d26720cea06d4e4e4da6df0b29d
SHA512 e1c9c9cdea912a4c0d2f41f7da3acaf82995a2a6e397404939286bc5c7077226c83628ce6a7c6af671f05c7856f5c90dccc874de16a2ff388d124e7c87098492

C:\Users\Admin\AppData\Local\Temp\vscIYswY.bat

MD5 f77ddd86eff4fbd4ce4efabc111a942f
SHA1 b16e88b0bc426c1c5e1b34c0a68eb3eee6f0327f
SHA256 c123e71af70284ca8acc0e17d6398083cb5121ab11da9cc4995cd9ba20cb8624
SHA512 446e7106487baa34fc106e1032557edd0df2c721eca2d06f1ed94020323b710e7cc19fbc857a42798d4e43759f64173a9b9cb410e508d7c249f7db5067d913d1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

MD5 4dbc9f9e6f5a08d299bac9e54df07694
SHA1 bb38f5de34b1e0be1109220ba55271087a4d9ea5
SHA256 91c2718dd23b4356d71f88f6146868369033291086df327534546dfa459beb0e
SHA512 a5f2b1f47502836130d8083f757b7773c1e1cb36b76ad298cc29ab2b428c8002d2f15bd839838fc326dac3681c2f48ab25a3e7631d33726c4b25e8ec14170912

C:\Users\Admin\AppData\Local\Temp\HuckMQcE.bat

MD5 06fd50de75a01135221eeaaf25ace9ba
SHA1 26489d84d9b3da94d182e5ed1aefcece07d56290
SHA256 e2021dbb7af292fc35f9b3985384b21f3e806627fa0958a61b6520307c7b7b63
SHA512 b032d0bfb67c8fd63d60725c6568337b7fb4316e0f311115241d4d09a70dcac13a75b5a9d825617632a5639b550aa6ad7fe56244e709cda94365592851cd2b92

C:\Users\Admin\AppData\Local\Temp\zosYMAkU.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\ZCskUEow.bat

MD5 296daf7ca4273f13ac908504ab40f446
SHA1 1feeae60bd50ebf350058ae1c74c15dd1259931c
SHA256 4d989a19c5fd6980c4490ff525e1d6f7e2efa395d61b7a2d817e438344273706
SHA512 10a3d9adb5a595207a3ce8f72d0a2324f4563b00963f718ebafb63fb17ef6b47705a553268ccc4a318b84b0f51736bad51abe4d2726db42fbe8b172ef0bb08eb

C:\Users\Admin\AppData\Local\Temp\uYEEoEYM.bat

MD5 15f91e222b58858184b44a78a223c5a5
SHA1 726f3e167431083c63dd17dab7a769c48f72af38
SHA256 f716f250d54a3c444aa7e0eb42093b50c3cfe5eeb4ef6dde6a930f22a9b13195
SHA512 feb9ba93480f652ca2cd6661c74a362b2f371495ef1f771ea5262d4248ab364d7646cb1693064bc61dd330538f6181036ea5ecbda7089ba0d0f4648d95cefb64

C:\Users\Admin\AppData\Local\Temp\UIwsMkUM.bat

MD5 0f6a526f6b2fa0e1c0145a4948c938c1
SHA1 2bbb038b9264456df473dd901c0cb65f6134c491
SHA256 81030a9d0056f86de48a041b20f08ffcb6dac7e21a2527a4a59ac03a0b764a0c
SHA512 91868717b202907d435014b33996a3ceb0dd30403b0819f23aafae520635a7909f0a993f1ca75112d48a063e9ffa90cc27857698fd3227d3c27957b05238e6b5

C:\Users\Admin\AppData\Local\Temp\EmwoksUk.bat

MD5 b3696d0b189c9c75207a09ecafb9f140
SHA1 99908d6b183de6df4536eff599f4ecadf1f1b129
SHA256 e8135c452b037880a65d161b05b14f2b19f6b64355dc2741759976ca5454e08a
SHA512 7ec77c6eccba37d36fd568653bfe51fe8b931e34139b0af9a3c87c10cca6595092b7637d93d27f5b13910e35b3ac88ad71be1fcbc5d9082718805061aaac6d38

C:\Users\Admin\AppData\Local\Temp\cMoEQcck.bat

MD5 0aa99e232083ee071968c6fcc8e2b466
SHA1 5dbce3f9eaf8a00d71ecd2812bdf44baa2ff126f
SHA256 c9e6a28831eff84173255bda27b5fcb23b4e20628c95fddbd15a3b7133837638
SHA512 54eb413b8b2e59a761c0e509ad629597a23960c55bee33dc3a43ef6c5b3bc4e3972d1229e540a41234ed2e728aa3f779db2cc13b8175db487e8bd6bf1a823aec

C:\Users\Admin\AppData\Local\Temp\UGcUwMEE.bat

MD5 ea856d785b3e6c23a205d223667a9fea
SHA1 e20d5642d4057bdb9c3ec7a99ded3d62940ce6d6
SHA256 f7d1ddb8f042cda0d5f902dccf1b2f7d9b52f70d38a23dd077ace220f219bb81
SHA512 b35a36d9f8113e69b3c9c6ac877ec12424d69b22cc7240dfb794abd94a82bea44913ee834ca82ef9bfa7d0009609ce06668d1c497582aee3f418506a8109a532

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\xukMkUIY.bat

MD5 6f028c75f142ea628023e5c941672362
SHA1 b85ee6e6416cd044599bfe96b9cb572f1e768b05
SHA256 edf1e6ea847f9998c833e5d5d66e7735641abaa12870ef15b273e54311ed57c5
SHA512 7d820b52ffd6d2c9e4b702f0caaf54b4cf7803c1fd99706d0b3c54195361c6a7cb741ba2948da5b259021891677f87e01aa663446e89e3ab90ea455813487aa9

C:\Users\Admin\AppData\Local\Temp\ZIAAAUoA.bat

MD5 392a49b547d2c3175fbab3b2fb63f2cb
SHA1 9093af71a430eda75423dfe71bc0210ad0d5ae97
SHA256 68ddcdf5d4d11968fa2f4551c888bbbbbccf808aacbb8f9f0e724156a4f84172
SHA512 dfc56b67f538e677f29f2c2f49cbd4952f22cf621750e829d3b23b0db75ec88bf03a2a66011919dc2d61c12404bc47086afb4b69f5bec44d6c4a9141b94ecbb6

C:\Users\Admin\AppData\Local\Temp\ryEMsYcY.bat

MD5 a575bb5ef905ec27e2ebba20110ae350
SHA1 ffe9ce0d6c6f55286271f5c73760d9f214c21e85
SHA256 9319f2aceb3892ca3816ed2b547e37e381afbedfd14fdf4463c77a0aef37cd26
SHA512 bd26bdb079cd63f4fc914bcbb2f8fbcbeca18578fc25b34ffc5d2c3034f659396a55275f11c62d6a2042a33264e858c79f600c95ef9216a593822482f3fda718

C:\Users\Admin\AppData\Local\Temp\BOYMUgAY.bat

MD5 a8902d1d843597374f16ace37d954f7e
SHA1 f3be698a35b01d698afc3d52a54c19f8e3bc3218
SHA256 9e24aa221b44b0b1ce579129abce9a3330914c14ccf0d046295a15651adf4481
SHA512 c469806f88e2cde8fb865afa12bac47771603416c2c45e8ac1c474f9f74de7ee64c81dd07bbd55ede06c5a2965ac841c2a7bd8e5064015956fab51d623f8cc5a

C:\Users\Admin\AppData\Local\Temp\gKoswMgg.bat

MD5 9fbfc30f64faf7ab174db3e9dcf9bc2c
SHA1 8ef3f1b04551a687f232c4ffd97d02374c9e49f7
SHA256 47f36673b9181be76ab9df522627417c53bcee01a49ef49b153c969e230de4ec
SHA512 a4cbac6fa3048358241e38f25ab31aaabe0b14ca53e433a6ed77276b3c9f022e63883425830ab79863f238b4f63060535a727c1612ceb99eeeea2894a0f14705

memory/1684-271-0x0000000000401000-0x000000000046B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YmwkwgoI.bat

MD5 5534220825a3938da58e26560c19040e
SHA1 164059d9c54b25732affd2cf874bd09c2e6eee46
SHA256 b93c2bb5f1f2f7805c4c068e88e8c2e160ae2a3def15e2d4ed450df4cf8b7865
SHA512 591b8eab2cd42bf8a2ac76ff5b8abc0c628f2e140f57e424f5ead055d85acfd416a5db595e31defba6fe74e38aa12389e19721805d6822771c6c2b268e0885ec

C:\Users\Admin\AppData\Local\Temp\SqUsgsEM.bat

MD5 85475d4fd87892fd707096b24da9d90f
SHA1 3c9d0c511ae9d2183fb0b7ac0ebb541f5cb3110f
SHA256 72bc0d77235b0db9ff34da20fec4936efeed235895f88727182a07ca321225ec
SHA512 53f00b0c3f8683b092fad52c3dcd9f372bfccb6791f118534e981ba8af67bacd181af84694d5b60ac164ad66bdf3c3874004f9feadb4d25632d1ccf3611fed17

C:\Users\Admin\AppData\Local\Temp\MAQUkowE.bat

MD5 6ded2147b78f60e62d09e6ff61a55644
SHA1 428707f4dbc0fec1bcdc291654b7d0f16d55da6b
SHA256 0edc372690367086475a221818fd49b591cb5ff33e8bdbd2d840d64eb2442a80
SHA512 8ea49b4280ec4d354fa03b0af4a92ef59e237f67fa80b1e6c60fc421d8a6025878ddda4bdfa428f1c3a0b364fa879869804a65caa4290b1449d4348f1dda5e85

C:\Users\Admin\AppData\Local\Temp\ywMcAoIk.bat

MD5 6ea38795f96b0e1efc9e12f54a5285cc
SHA1 49c838d5ac75f83d83aef60e10ae9a65ef550b8b
SHA256 a91bc07900aa503b06417ccc3257d9369a195d9f17df13ffd334c1c73319ead5
SHA512 d3a6335a35ec9da58392ce2732240bfc371f3242bed1a580e92e6dbe37f34cf1da69f10347c54e87099849216072d43703f0603add4e46c4857d21873685a061

C:\Users\Admin\AppData\Local\Temp\LecMUAQo.bat

MD5 f553521ad73dc660035095e0b11c2b8b
SHA1 8182c5178f7b7d7dcc174adca902d680a5209503
SHA256 4c17dc9bc7cd9de7833b4873384d5e64eb27446399d6b1a719b9309e4fd62a67
SHA512 a1073a9a72aff1a55541e579d6aeb9e12453d3fcbb90837b371f411924afb1b391e55a0c7dc57ab3e4be470f802f4379cd349fb017d166c992d6829f83de2ca0

C:\Users\Admin\AppData\Local\Temp\lysEEIIw.bat

MD5 4770fa54c31bdf51d04dcc62d199fca9
SHA1 12d6b935af80ea33692cbd9f4a752dbcacffe464
SHA256 9896357d771ee0d07d2dae385beed817428218709272bc19ea827b90d4c32b7b
SHA512 43c284801048dc8f144542522fa4a389282e1b0540609d24c0f1726ff25a7d5e61b948b25df887e4429da7feaf93dd04de1e0222cfd0ef25b09dc4320fe36576

C:\Users\Admin\AppData\Local\Temp\twgEQswc.bat

MD5 5e4c573fd1a47563f4dd9908111cffe0
SHA1 72eee68cd5ed1959e164d1ed863dddbd0b60fbda
SHA256 88624ed83a0a6c572cdd3ce1ff06e31de7abf119b0884eb5e7b2ef2c6a4adb30
SHA512 ac145411a35e8fdc31610a8a9eb20e83e0a4473ba479d789243b219ea2916e14427573b84a94ac2996f1d49ce5a07bc0120cf5222f416a677ea6c389004f722c

C:\Users\Admin\AppData\Local\Temp\lCEwIIsw.bat

MD5 8713ef0b4423cf33fd2e0f40921d2ccf
SHA1 27d94426bfc5d19c477eb017a96dace1315bd05e
SHA256 3ad471cfd85666b3dd397934ffeacb87a3b3ead16491d93ebd8f1cf6f256f060
SHA512 abe166db7ef25c30ac272fb2eca216f01a6a3b87b9612c62a818063d5c374f01ef736775e0efcbeaa4905149dc7a765338a509f3a4e78e7028f736d41de92eda

C:\Users\Admin\AppData\Local\Temp\YYEIcMcg.bat

MD5 9ee7e00b4377482f8f14ef41dea06212
SHA1 cf2c163f44770f333cc92e14f33b89ca9cd5f478
SHA256 fa91379b2f18a70eabe74f9305c1e57047334d6d5e1e09efac3b7efd8fa9d539
SHA512 68b93958ff4f93451a606148c75cb7649ea7f66f2903b15332ae132cb61d55625821d0f6aa7578df5f9bcfd65bc6d2a7ec2758a6aa21fd293f4f7a867809d578

C:\Users\Admin\AppData\Local\Temp\UqQUkcwY.bat

MD5 4029cf8f3af7d1a57f9cda8663a2c2da
SHA1 bae37b797d06e723850269d687f401f6e37c4a9f
SHA256 6f19c71b5a82b1fabf6380b3e4354d9b7428a35945df90324f1062cb11521fa9
SHA512 4393969b5f6acd0ddae673640e59ca66295720d8cf88f0ca91d57dc1ea40296fddaa4a4f280a93ab8cd6f48e0de904406eafb09f55bbd23af4e91f7e9edb5c30

C:\Users\Admin\AppData\Local\Temp\aGkwcsYM.bat

MD5 1fb6aa87795cdd5a42a01cda6ad26213
SHA1 977b42b1c5090fd5c4173c4acdda2aa21f0372ab
SHA256 955caa4ff88a2be75b4757f4f60709d8af75c7541f92d7ccdab5cf64a447b10a
SHA512 656b1abf010b4079e56468db31926e70d0fb9043d5d8f0516152eb4b256505edb588ad8bf07bbb75c44da44d1dbe89f62c6f2caa865fc60db1d4513c33fad0c9

C:\Users\Admin\AppData\Local\Temp\kQQE.exe

MD5 fcdd30707db1c9507eb11039084da3fc
SHA1 bd582cabd55600ffdc23a09a57a67176686abcc0
SHA256 3685a0e2bf47c3ba41e391aebb91824bc4df0369b1e9fa3fbbc949e22a4a73d8
SHA512 4bbba4b07c2ae82bda29db1ec2d42a122d0f40ca7151e1f20153e8c5f2ca265f964da363f3ff9e2e2d6cf6b96392ad988a4c88cbfaf8c2e9a9b40a6478cca63d

C:\Users\Admin\AppData\Local\Temp\WQkA.exe

MD5 f7c44971b085f01c332abb816a4a0eba
SHA1 17ae8b6d55e24db3615badca12aeeabd858a904d
SHA256 b9bf3d1b7389a3f81acb4f905c585636c6bfdd8c159e001424d73b8c4c23ec87
SHA512 7356290ea9fd865d1a3c32fd056bc9bafb0d28ac9902a1f01e1107424370da2dab45ea186fd0e18e98e300906ceaf18ae92baa1c1ccd6e635c2115b5cdf0ea87

C:\Users\Admin\AppData\Local\Temp\wIoE.exe

MD5 67eef21b808ff7245c87d00f676128ef
SHA1 ed36f9710f207b2c79053cf3ff0cc9cb3c4f0490
SHA256 3db973281b9d7e77c0e9fdfb4f8cac5da613f00107abc9239d020023106dc9a9
SHA512 0e293fb9f052209ae4137b2df16660ec344ca52357edeb954ecdf44432ef1e988c123b7cc9f329aae97f6f9dc7a777abeb50eb9b80c6da1408e8197024a4f3b1

C:\Users\Admin\AppData\Local\Temp\oKscYEEc.bat

MD5 dcbf5484537fac953236b875b886c61d
SHA1 0c16e4498190f20fb771092e05a622437f4a1130
SHA256 eae238a0d29dabd5c1d804ec695dba4d5d3d9a0386febff0efb2116452099760
SHA512 0936badd9e5eb6be16038cc090952fcf31085f638b872315ec5538133725bb3973d0fde42768d1f596be8d0d0806d83df9e41e478d1c5c2fc30ee3da07d4613c

C:\Users\Admin\AppData\Local\Temp\wsMQ.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\IsAs.exe

MD5 01ec00bc35b4358b7cbfe841a71cf379
SHA1 3090f79d2b32421f7e938def4dd3f8351aaf53f4
SHA256 14360f25c22e5ff4ef80dcc522289ae1f935283dc88decad32ece16ba2730883
SHA512 3223b4f6c4be5b24fb4111716a633147641c73d59ad6c946910aeb9a88df14ec43806cbb8936ab942e82960f3e9ce4e4955206a107b0e2928efbe57849700600

C:\Users\Admin\AppData\Local\Temp\gwQU.exe

MD5 4853ba75b54549c6fd0e537bd1d10b4c
SHA1 b97255eb89ec12d1aeccf3bc7573b285c9b7db32
SHA256 8219d6ba4f94430b632da1e89c221391fab3374412bebc788f8d15bbc5617a59
SHA512 499d73c95c5523b366f3dc95f79d44ce5355366dd497a21835401075015aaf822d2eca3a959e6ccc88d1cfd96bd0024103b432573d540b3beb8190e3f103b0d7

C:\Users\Admin\AppData\Local\Temp\goIg.exe

MD5 8fb7dd145742d513f3976af7eb67b058
SHA1 a3ae2227cb02e0e36bff30bb1ec348599cb86b81
SHA256 cfbf2cd42c94ba0dbc8c77906bc0539e66393666bc43d795c58f572d0385afec
SHA512 f29bda26c5959acbb419e6076d9f87a8267e3bff8da752e2e7f060988510312a148468114a4b45418f6fa489e3a36a41ad1e411cba8555adabadb618996fc6f6

C:\Users\Admin\AppData\Local\Temp\Ocsi.exe

MD5 68f491124c8cf711dcbdf4d3ffbd934a
SHA1 ff41bf550f0856409f51c7d55f4cdbdc9c54aa27
SHA256 f67ad33b75ec5bc36a2c35fa1b23d3d22f9780d82ed158aaef29d99faf07b689
SHA512 f77ee951cfdeb5c2505aff089b1db4179ab1ddcd1f1ab54ccf9df9c895499ba3fd9949ac38c58a9fd9b792169eae860a5cbd7a0e7893a7e4976e4f8fdb7d33ee

C:\Users\Admin\AppData\Local\Temp\UEgW.exe

MD5 8ef8e839464e223aa00bc20d00395fa6
SHA1 3fdc22ffa182d74374a3f801384f80f819666d37
SHA256 3901a6ed0c7a48f111ea170a68e51eee35715628af4a7758d9314154821bf775
SHA512 65c90e610f4b0e8a672c11c432968bceb3d3d261ae0b41f0ee4ebc3cc529c3d9fbbe2c748a6594be027287e29d16f64acd7bb90ccdb28cdf2944536e9bb527d3

C:\Users\Admin\AppData\Local\Temp\gkYk.exe

MD5 aee3ab2f3a041cf22e99ae2ebc6ff391
SHA1 739feeb99003e62e10712b67fff55662eea6f4e7
SHA256 246854785b4067e0942b165045d84f2a1939fd8ea72a16c038b294559201ee68
SHA512 dadb3a3ddbc661499912c0f375f3fefbeb320c3c7732cb8f58b77bfbd537f743ca5df5648b4004c03c5d9aab0ccd2f41251d4e62e2660ade7d96470ac654bcab

C:\Users\Admin\AppData\Local\Temp\IkUU.exe

MD5 672378d46f9fe84d14a752241db9e9bf
SHA1 d0e14c4c3d07c3d4407227c830f4633bc06e22c1
SHA256 d88cb70aaa4e2d574b3135a496ab1273464e1c4272c9aea90295bc9241db3b63
SHA512 51ce83127a209fd491bdf4ac2fe049418677ec6656121813953f7cde1b78194353ec2f400b72dbcc7d296f7678fcedb17a31188afa388678ce531754ae75e578

C:\Users\Admin\AppData\Local\Temp\XqIEMokw.bat

MD5 e0518bbda88dca61145558170ecad095
SHA1 381219c310611ec858a0d3780a6a07d0444f7d3e
SHA256 4879d4f73f9af994c7a43141aed5acd6c976e21d3c1ba5b662cb3892806d7ec8
SHA512 8449495febf1e7793b08dbbc6b39dc7fd44ab9765584ca9d224120b3753b25108963eee103e1435b6899e21168dfd7ff8198553767945909483fb1767055f086

C:\Users\Admin\AppData\Local\Temp\MEgc.exe

MD5 9ffabf2950fab13f73a8c9f06ecfadbe
SHA1 d293165da396a447a05350363805cc0c9b170e23
SHA256 4146d0586b1150005dd5ab9056c1619994bc078da234837044f717807664ed3d
SHA512 f4855fc5e1b8f81dd12c6c81b9ea12a494a80c96a3124a951f370ac68da8e49c8bbdf07d2678ac9359988e971811fb425a455bc44cc494fbb322568288348431

C:\Users\Admin\AppData\Local\Temp\mUAm.exe

MD5 35b9093edc386488a7cb28bbfdcf2c21
SHA1 dfdac66fda7a11edacee16a8edb8ba059c2c0bf1
SHA256 7fe4153bdc5597dd1d68f78db825d1d1771ae86f18a126ead9676ced869214dd
SHA512 7a4ad553b853be3916a158372bf266e94c07de9bfbfd1e678fe437abaf413457beb884bfe3bd614f4cc3aaaef3d8cf2f35e145c344167c43585178f546806399

C:\Users\Admin\AppData\Local\Temp\OscA.exe

MD5 5262b32fe57d19cac1f99ca9c1f5528a
SHA1 9883593fa31b1a6ceb2f8a5e93d7c6cb0049e4db
SHA256 a0369aea1381a97694949c352fa421347063a81ad41e445ab4e2adb62a9acd9a
SHA512 d52df01514ab9b1d159f9f528fbd435038d91d5b275ad56608bebd594c393c92c9906805d32406bbe7f6c3cee53db0117e0725e860eab8d9e242c7899be1fa78

C:\Users\Admin\AppData\Local\Temp\QMII.exe

MD5 73f23126985094e0fee461457c815d9d
SHA1 b4332aed8aa18075e135eac66af52ce797b708f5
SHA256 64d34e049811d6ec944372891edd095a83f212b95e6db1956c17cc3b34e14ec4
SHA512 7e67757bb74ffe4aa5ea77b406ff89b8663716fdcc93b560348b54d39f6dbc8e4513bebd76caeb099e74eb7160fae631eec5fea0b12e7534e1f21a7832216e9e

C:\Users\Admin\AppData\Local\Temp\iAwO.exe

MD5 00d3014d1b5c7d8bbb4ce0831522b533
SHA1 eb0ce4f02d6d9c6722ba17f4069f2e28eb64d6e6
SHA256 2275e803fb4d230bbfd78271cf569936019d5f1441915906da247c9bca3131e3
SHA512 5656e77b2f5c13b02713148ddcb87faf90551ffc34f100f95be1ea8115d21ab356d89a54417341700d8e7dc83f64c17c4863a34dac0f6eb438777fbaabeb6426

C:\Users\Admin\AppData\Local\Temp\SsEe.exe

MD5 f059ab7d3e968e31257db0aa2b72f2fb
SHA1 fcb888dfabf9e8975d142c8a2c87f7faf1b034cd
SHA256 952953c8f7919416cd5fb982826b88ef0dbcdfefe5e8be8c6390499dd3435543
SHA512 177aa5c835344ade289a7b97be6aa5737a479b2584d7c0d45ff7036db5564f01cb3c397b2a2d020f4e8a38d1268458c9ea6a326ab5bbfdca3affdffc0c4f7c08

C:\Users\Admin\AppData\Local\Temp\UoAu.exe

MD5 82e51390f292851394dcebe463a5730a
SHA1 3eb51ef371e90b169cd89a9d1abb425c4f6faded
SHA256 6a308970c72e5a1ebec72742403aa9d25445997de9ca647d873f4ba36ef624d2
SHA512 ce32d25ca89270cc7a31029d9291e78bc3bf3bc2639867e28486296b740b85cba382cea9dadc87020ee8300d3f82e1004bc9a26c5497e31f748956d09bca80e1

C:\Users\Admin\AppData\Local\Temp\JsQUwMks.bat

MD5 384d662aa111f18fc3a6f98c428cc442
SHA1 47fb1dfc1e3f3c3b8824763379675dbca493aa09
SHA256 0b02975d9ccf2ce3ed239b33c7c21bf0efe1dd9c1bba41dc41f3525dc48b1197
SHA512 58d9211ebc0c09b9bdddf92bed07e97922562503508116a89cc656a43994c9d0fd1c952ae5a65f4af18089cc0549009b9923762b25e3045fed8d41a95e6136e3

C:\Users\Admin\AppData\Local\Temp\WkQY.exe

MD5 0dbe113d29e66fdcc79200087f151bbe
SHA1 2a5b8600c2c6f80a0372265f44ac06208b467c76
SHA256 100e27a86d8a2313f0bf7a2931825f2fa038f6994fb8c9fa10e1bc5e0c6c22dd
SHA512 74616110f2d62c45dcdf46f6b33584700bd749e39f2d7b3ad8d8c4c45001117a353ab66aef750bd4b08857fca7702f647ff1e3ec4d7916bbebc6c0698b5f601e

C:\Users\Admin\AppData\Local\Temp\MMUm.exe

MD5 f9946e8f37d49aa5e6879308b653751a
SHA1 4241dae9d316570187486d93bea3235200768a0a
SHA256 5ddf82f659656968e6292343f57c17dd961c2e8e701660023e90ec3a6487a7a7
SHA512 52382e4a4bc0cfe8311fa7f8aeb6f9389738834de9ec536c6f7093848b8d34019fbb3356270423e4c5ecfc05469044ec0d1af6880455bae6d0109d2478ddd0fd

C:\Users\Admin\AppData\Local\Temp\gwcg.exe

MD5 0e603f74d0ad1d87c0ebec5f4d575e2b
SHA1 821b0701bf651b50658d76119d93544b110b28ed
SHA256 a3de57ce93aa254c9e5361defef84d91c509f2cd66bbb82b1624878ea7bb8b28
SHA512 38ef00985a2854f7086974563c72494478ed0a7911d16505227b15e002c39e3c36a83a9ffd2795316c3d0baeb924b7012dea85ac869f59b8e7e4e86852a1b165

C:\Users\Admin\AppData\Local\Temp\Wcsi.exe

MD5 fe763f497edb50fd6a23e89356fdba24
SHA1 81c4a4dfb9ee8f981a03ec29aacfa044710604de
SHA256 a61345197be4cdfa1d6c690f2615956148b87d12307a61c4c57fb06bd1e0dd59
SHA512 aaf22525e9248bd3951ad7ee2ddd2dc1b99462ba747dd2270bf5fb92d5c6e06b796883204b4ab1a85c0034b1f6a262c26ec7fa5ad1bc7bdff5303041dbd5d26a

C:\Users\Admin\AppData\Local\Temp\UgQs.exe

MD5 1f5f764c435a73f4c6f97ed3b6525144
SHA1 1db0ec6d37463b0063eb4c942d92c6c8df9464b7
SHA256 f8f92c2bc5c57c7438f2746c1b219c49996a0bc17c3e67c13f0aa96250638d80
SHA512 55e3d105ba3768e1fe38c20d68608c18521b40749e21a99133b45dffcf5731af8013ebb875e109bfe612703fdfc6a4c1f83d9af491cb0f963f1f6c1fce8e26ea

C:\Users\Admin\AppData\Local\Temp\aAsI.exe

MD5 5a083e94f0e203465d2588a30075b622
SHA1 1afd106d61336032bab7298411f30bd41ed45cb5
SHA256 b6540140bea2e0aaa9cfa9c927e18ca1eeb98ca0241c071eb2f8c9cadef1d5b1
SHA512 995140d23cb3f9395f12b55255f15cc1e1f0abb8438d67ba83aaa64c4c3032e33d9915ab5fa5b1707dbfa6dfa98219a8332c0aba9d1de0c1f9bb5a60e06aae45

C:\Users\Admin\AppData\Local\Temp\ywQw.exe

MD5 01165ede67e8fc635301ea11b23de64e
SHA1 418fedfa6dd2e9d9d9dabddff39dec4f2f43c2a2
SHA256 33459ebe91c407c0695e3a07525f22f14f15daf08a165829b35cefc39ee23a87
SHA512 8b7cd23fa4ac2d171eac6984d6ba6047519cb441f04ae566504865324ff148cdc87ded3728d476392155b2bed42181c554bdd0a7d98c89b94c2cc67f85862a86

C:\Users\Admin\AppData\Local\Temp\Qkoi.exe

MD5 30d2119aaa6898d22508f5f73d241821
SHA1 e8d38a913cd5cf07fd643f41774d3cf49dd6a9ee
SHA256 25ea5df03ba28a771631d81fcf1b0a2dafed546219be1225cc4ea3bcb889d3f4
SHA512 013c4cdf9e132f6b99c8c3e7ad6e89e795929f715c659665e4ccbe33a45c0caa2c1ea9172f595dfdba5de7e7225a505a1fca993e6f8728c3457534fbbe06f44d

C:\Users\Admin\AppData\Local\Temp\WIIM.exe

MD5 1c4567fc2b4aaf4fcee30982432f82bb
SHA1 f33ba2f5d7df42ccad0a1564f4ea5df047f4e379
SHA256 f7f1d82089fe972564a0a3e19717f9387bf18fcc0a4acd28130b75263fd5c91f
SHA512 0957f567f9ba4fffbaefd04910f55d573e0786fb35342225dd36d4548783b367385d5e19906dea976934d549af3f7e79702e51743169fa12257baf616c4936b5

C:\Users\Admin\AppData\Local\Temp\pCQIgUkY.bat

MD5 522983400a4344d39f1bc044506b4834
SHA1 da65a3b0ef62d7a4ed92f3fc5f16c43e7559d0ad
SHA256 fb93bd6914afc82a8f3b4fb3229a7ba1ec82d7c8947094ae6824f738be012a12
SHA512 c433c1ba05e7482ea1234c7ad98caf57e5d0808b582d941bf5ea6f7ecb02bfb8748724c40951c236ad80db8db21c065f10a383d1da9ba7d05fa3e6c10110fd2f

C:\Users\Admin\AppData\Local\Temp\usMe.exe

MD5 607f4855e1bebc4cd255f09c2849575c
SHA1 2dba591273ebdff1e355657d49928d4651a36620
SHA256 62de50db3a6e6a2a7893811c3ce230a564993617eb0d48b79cad95487a77cb74
SHA512 61648b847c072ffdee10000679737bab813f206a02470b7a9730e43b46b347b2e2dac8790702a32a3a05b2635cbe4c88676acb0421396ad295c0f808cd71e629

C:\Users\Admin\AppData\Local\Temp\OEoY.exe

MD5 ad0774693643be0dd7e7c87ed4de9bfe
SHA1 5526495be0f461593822240ce44974e3bb499d3a
SHA256 1435daae13a68e011c77c0890247428f4a72bd3931f1f8c7ec8f17b589318b90
SHA512 b42276edd5b681b179d8d56574f31ed0182e545cfed69caeffacf5f750ad51f079f55b458ff596f7ffc1b11453e98fb1334a9b041b312eac55bd471050f5ab7f

C:\Users\Admin\AppData\Local\Temp\WcQy.exe

MD5 8ba4913f0bcf50bb4ec479ba0554714d
SHA1 3f0d6997e7a6bad3daba2c68446f5ae51f6aa67c
SHA256 44e5bbd6b81ab9a0512789ae1d7b3e348892b7cacdb481a91bea8fc43853d3e1
SHA512 beeac641c88fae0a16f9860240b6a0d452118dd584ee99a9fc116494ba75a99679ead74a2e2dbdca79f1c0deda755db079ed05bd9671313334f33b54872bf03a

C:\Users\Admin\AppData\Local\Temp\gcQu.exe

MD5 7078365872d06c890b772a14bf6080df
SHA1 99caea233b4c905179d25df8f7a13bb577c7d4d1
SHA256 8a79133476e3788b669eb3a4d0447ede81fe1f479363d30dae042e967d8905d8
SHA512 a483609542e8d0aa2a7aa5853132b9cf898cde788da081a14e33c1fd0cf99cea6393ba8fb82d8b521007791eac477359421d169cdec64705c8b7f7482f28599b

C:\Users\Admin\AppData\Local\Temp\Wsgw.exe

MD5 80c05f4047969ad7906bbc3287a852b4
SHA1 fd5b66158f9ebd086a1b8ff43d29591206daf597
SHA256 5eed30a88f991d45ae7133d74bf098476a707144c5fbded3a559d7797d283486
SHA512 735aabf2702b545a81c1a912b743f441a1872951a859bfdbad75fc20366e50901f77d6125c038146d30ec2ed9ddc2632eb2e8c52d08cca1ecc3e9f33bf8e8b9f

C:\Users\Admin\AppData\Local\Temp\WgsQ.exe

MD5 8f3248a058d04278f62308f1dec4e081
SHA1 fa4e57a4f2ce4da9fb84e5af07cdc97acb9b358b
SHA256 e8dda2202dbeba947c79c66c6f60abe3b1441b9de2ab63a40a309ce349d937c1
SHA512 66505208e18bf61e492b83118127453259d34efa8391a29765c20195569c6edcb1212aa3816593ab59e8ac16f2d0de5cb3af8cac46fba2fa8e103e1b5058eb30

C:\Users\Admin\AppData\Local\Temp\gYEG.exe

MD5 b3ea9c1b35104d3ddc4b9cd0dd68f4c8
SHA1 50226919ac1fe0980cc8d0b00af4e527389fb0a4
SHA256 b6f286d58aac8e8734c653266bc37cae137898e9a73792f558f81b2885a9dece
SHA512 66f3b7bd6a994024861bdf45f611e40231d43bbaf8543b4d7777a1413d0627ff8d2cf9949282bc10ce78b90cfc26744ac9ec056fc792c2cea0aebb329ee351de

C:\Users\Admin\AppData\Local\Temp\aMwC.exe

MD5 309258f3dcff5c713cd54ebb346a67b7
SHA1 89093c3ca2cf856642447defd20be73c57765c79
SHA256 330fd28dc0b4de025f40483d9e9535a453ee50f0367e16bcf6accb00af54403c
SHA512 3f30f0e982addcb618e95ed1e8a5d343428945da16a82dc5f16dc8cc48dd609b2950a16858db61dc8de143d14e3775ff11aaa374cef2795eef554b8616f6f315

C:\Users\Admin\AppData\Local\Temp\mAIM.exe

MD5 95910423377f83209ea6672526dc873e
SHA1 cc521ba82f3d137deb5c4beded1d695a57de14de
SHA256 b48bc5ba1aaee0aaeb90ca5bf66413cce69b9fd91562e150bb2915abd8fb0219
SHA512 0d1b717df58c5c4fed55ef7fcbfb9c076355c7dee7a599d6ecc5402b12a9ad6b8e6235b41773dcfe36d1496686181b0aa1f70e4fdf1556701bfb8add1aea60ec

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.exe

MD5 9adff331bbeb1783aea18d04ccfd6b96
SHA1 cd3a87ce8699b17872c16e6cc33be94c123cc048
SHA256 7bc7ec160713138cc57815889c140e1557c1dd567ef5b0718b60ae0ba71423a2
SHA512 aaae31e4f33ede951d6e93b5abcb3d995129190b25b6f2ff3d15091e4f6ef24cfd5e30e9e4250faf7dd7b8338865afcb778c7478d192663862ef2d8496383903

C:\Users\Admin\AppData\Local\Temp\EgQu.exe

MD5 d31465567e987d5f912db55c827f1090
SHA1 43d9fd2addaf738dc388712e9560e78fcf0abb99
SHA256 964d0393020616b4ff3a28487cf35a34a5a5752b124a77740646be33e8c844d2
SHA512 d96b062ba07bd46a122197957de405b9adfa1643a8f7312517399ade6fdd2dd65b8cb642e1af0910788e6af6a17e283e6d1ccbc5c35aa1ea55048a1d84cf6335

C:\Users\Admin\AppData\Local\Temp\kMMW.exe

MD5 f7b72f49a1b5a034fab67b8c58b88ef7
SHA1 ce15b216eabdb523771a43c127724573bd5a6a38
SHA256 9080cdc2e5997bbc9bd996cde70d03b0b7a5dbc34573552f5739591c7b4da380
SHA512 9c2251c7b245e910835585853d06d72f6eadb89c8efa1cde22f916f1c36189a2e1d019156e4a2c48a26df6297e77b1d05cef553362fee417e13a08add47973bb

C:\Users\Admin\AppData\Local\Temp\OIMsYEwA.bat

MD5 2675e773ed7be0e8a3829794c53dda29
SHA1 43bf6df7e3c6bde27fff94f5e5465aab7e7b69b6
SHA256 eb2c738b157c08f25ce49084aa2b8ff2b9e8a174fc1fd1dc726da11935a1e6a6
SHA512 8299cbeb71f285d419847b240e87ccb91c6ab706445a728e6f23f56c13526fd5a51c2f260667fdb3f0b83be8b0d25d8875f4abafde33e9b3bbebb3f0616cdb86

C:\Users\Admin\AppData\Local\Temp\Uoce.exe

MD5 2f2e17f3cef08d1bd1045a07d628465b
SHA1 1a99bfdf8ec2b1e9a908cb7f147d6d11c4f85b9f
SHA256 f63d22dbfbd381b86992760a8f964e78e28662843762648d47fd32a9257fac22
SHA512 3529219a2123466e03ebc30c47b9718dbaf7bfc5d6339bd7c2c19598363cb8d725145104a00175829f315da614f8db7ff0f1f7eb899ab1e2e341ff9e41ecf94e

C:\Users\Admin\AppData\Local\Temp\Gwwo.exe

MD5 13f4be5f57f960b71aca96d3521ae235
SHA1 ba4a444dbfc05142f0c0120ee25c10b41475fa34
SHA256 fbf8ff81a1fea7ba8c7bc98b2f2f717cc77a40e0db105f384e31094aac4b3168
SHA512 f80806648417f840a267e29a86136480e3e8274b8eb7ba49a4852079457494b8e4ffdb3948f674540e885a5755472d68bef6f16c6f4353de384f638a8b1fe6e4

C:\Users\Admin\AppData\Local\Temp\kIAU.exe

MD5 7a9e5ae95263cbdf6836847991434c2a
SHA1 454ae70463f58acc26c79c6f6d15480c8aee07f5
SHA256 a1251cbef859cda2e20b8ecf4c39eeaa32897f774e61c1ffca11a83204b81f4d
SHA512 7a24a529479acc59c1f9f7a83f8a7e23107bb661b380b8f788ec2e10f8b6ed25367a2b4c2a23a57c562acecc507a7bfb2e0569c216d522c3d9ee062010333027

C:\Users\Admin\AppData\Local\Temp\sMQE.exe

MD5 75911c201549e5fc79325310a82d21bf
SHA1 50aeeabc455c9c414278e6a0b2f52abefd282e66
SHA256 643cde2c46d83f64a5de8d471d02c8920bfbc7dc5d8014d633aa1d251bf2d70a
SHA512 bb5a3e0d67ce24745fb13b74933e5a1b205e862f77969bf3a3b55af34021c5fe0629fe002272386461989a4afe26426e9ebe3d37fd36ce05f2120c2e59d5bf20

C:\Users\Admin\AppData\Local\Temp\ewcW.exe

MD5 858d5244ff69067943459f1975c30756
SHA1 8133f07fd3ffb6b3cfb3dbfe0e61c102ec4a17bf
SHA256 f7494a3177fe93841eb2636cf6e7e21ff515a1058381fd7904a9df558cbf47a9
SHA512 e0e4987bf7d80852d12a7d3c58f6a5814cc7c54ebc3381c0fa04dcbaeec120a4e487b604f3339668372b36fcc05ca473ba153f6b7b608b244ba31e91ac4ff115

C:\Users\Admin\AppData\Local\Temp\wMks.exe

MD5 d3a29f274f039d25ca6a700b52db19d4
SHA1 65663302f5dc52895fd3380764c90f7e4bbc1676
SHA256 51434d914e2c89af27ab82860c6ea44e4fd84500ae56b7559d6a820a3eaef839
SHA512 3d7680fc1200703378e9176808665ec82d3ad0fe5073c4ed1e1e2cd021d0d7bc336f90f40e44dd2d69b22e697c7c033d389a2783fe814988bb28da3420bbf3c9

C:\Users\Admin\AppData\Local\Temp\ScwU.exe

MD5 ffc88c3e7469e74c3ed5eb857de7bbde
SHA1 e553b9a040a8111d546f60ee1f6913999ad8c062
SHA256 e1a8621496094df02ce4d8d0a11da6c7ec93e2dd7ca322d6bcc3312b75898cfa
SHA512 c002a14c889500270e959f7788431fc44209d63126e2c4dcf7cbed30e83bf17cb01b88650e1b6c13bffd7c9dd3981692a6861963d32804b8afb3e5d9db764203

C:\Users\Admin\AppData\Local\Temp\qiws.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\UUcS.exe

MD5 aaa6ff2fff99df38ff2934eda540701e
SHA1 3a13cbfeb8411b41b62f3144ab5e24d1b6bb3a47
SHA256 c1945387510879af98d59278f8a5811ae262d37cc7ea2098fda0bad50e2bc50e
SHA512 85cc178956905c4c615bb7c10301286d8fc44c1bf16326ebb6e2932ce585a9c1dab98d17b1fe62b1c15a2ad7ac1a1e5c015e561ef2b030a632e87d54832cd57c

C:\Users\Admin\AppData\Local\Temp\sOYMcwoA.bat

MD5 194a61eb7079a82b4cbd1fcdd639d5ca
SHA1 1156f6c2a2f99f8c562d4593a8d7a2b38ddbf30f
SHA256 b7645cbc1f2a9efe2b9aa9e7c6a9cb36068a6c47b2f4e4caefc01b1db526084c
SHA512 cb910762272da15006ec860081d51ad0d30172366d3a3ad999efd7dcd861931bed01fed362daa79357da727ac2332b72c7e655705c788af2fe3f186df9352964

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 ad1bc0d2b03b95ed675b0315aa7158a3
SHA1 9e7f1bef5f1d6ec4fda6f76ed82e2edf39d9f390
SHA256 d9da39308e49c356cc666d0ed054e2167662d163e960f1aadec275c541a8f234
SHA512 1a1fa26616ef78ff7114da540a9c9c47d6aecae89dff70c08deb0405e3ac9f60a69994b0c022a13741f101a059c91000a078481f6f64039fa326a1cb87f26ec6

C:\Users\Admin\AppData\Local\Temp\gAsQ.exe

MD5 835f7f6aaa27aaaddcbd5f74780f5b07
SHA1 357bad20bbd9daeec97c6ded177f6ff1d4bff367
SHA256 57994acef425241d28e81e1db503fb9e2f78d29b1a3ebf7033464f336b43fbae
SHA512 1bf2b25e1e346c33de414cc318d6925c743461c86054831b2fa86978931ba3e84bca30d61346fa54d131d63138d6b2365631537702b0b9a28aefd9c8228082e2

C:\Users\Admin\AppData\Local\Temp\ykoa.exe

MD5 7e51d66f07cc0e26722ee5e6c0e73cd4
SHA1 4a2157016e2b8f7d313bc198483c7716bad549da
SHA256 64a939cf90918c9a6ae4525a685bc4c1633a64c5871363d8945b3bdac7a2f872
SHA512 9e9faec68a7fd7bfa13fefa6838a3679c7877beb933f46fdd4ef8ab355e780fc7aeb90dee6ef9e8f2fdf1811b76c6810de5709335787eb7b1e2c1ce0f0dff65b

C:\Users\Admin\AppData\Local\Temp\Ugss.exe

MD5 272225fc668fdb4f8911bfa079792466
SHA1 4a3fd76a3f29e65a9f6781fd2b5f18411d91ca33
SHA256 22391473aa857cc070594ea613388ec5d04270cc856bc888265af4c226a9f76d
SHA512 5ea4c079d1b4b1fa1ae0820c42288a5289944e3783eaa94c91d442eb6494fbc3d325e0b28b3d0b9cc92eeec27c6ad8aed8e9325d697413c73ab2d285b07ae927

C:\Users\Admin\AppData\Local\Temp\swcc.exe

MD5 9dee4379bac9bb6ea434a68f30324981
SHA1 470c005752703fb6a690b1dc1f8628e9450f31aa
SHA256 c795c2c72b83469c8cb8b0a09bdc64aee3ef522ea8598706298c3d349d4639ab
SHA512 7be7e38f6db8052d193a55144852f256c2f7c65f03dec88a00a1320f22e0c8b577141da4b92312e4fab02532cad15d154daf7acc46997819c8331b202c744ff2

C:\Users\Admin\AppData\Local\Temp\gcAs.exe

MD5 6ec6df8b00bca2bd88d834c4710150b7
SHA1 2ddba75943f9dd5826ebc90828b9e318e42bd4dd
SHA256 52800d85f5c17c30fe0e6186f2100f777c51931651c1a228dfc8a3cb0cfef436
SHA512 9ecf8b05e1882a0e44a2f0ab9d91ea48341cf5b1e1895d5936b58a99b52e8cee395d798d5aae82103ee724bcca88e2735531ec666432fde1f1d47863b0ea9de0

C:\Users\Admin\AppData\Local\Temp\aoAU.exe

MD5 f9c52096c77aa92bb68af24b8ed920d5
SHA1 9e4859a2b909585feddd977aa61f84ad65ec85ee
SHA256 37aec808b4679185bc29ec35ea8e8b943f247b9c54e4258c047c1da739d69dc4
SHA512 7780d5723c936bcf71c6d05c46229240e016581b4f3b95d47a4905105f2ddbe03640512f9ded14ec96defc6df00ef8ee24edeeb474ab8836087bb82eb1f7ca56

C:\Users\Admin\AppData\Local\Temp\qgEIsowg.bat

MD5 43642194586dacecde68ecbb3069b447
SHA1 e52be9d2eed2feb71e4cd29f8e24b0d5df5e1879
SHA256 d349a3da459b4fec1939af35278aa53a44b8a9e102ad2c82101cbb6a3f48b958
SHA512 51a9efd36bf4a8b7026b8f05d7ec0230ae15cdf726e328b3e5fdd294db4fc375e311ea831772e6abf14108f2167dcd45a04119363bb6dcfaa96c09b70328cb68

C:\Users\Admin\AppData\Local\Temp\uUow.exe

MD5 e8ced0e043202b8a07108a1e26e9f5de
SHA1 807f4b0abcff2fc5290a3765c45681f8b2e959d1
SHA256 eccbe5a01406926cbc1b7c1c172d110cb92c364ecf4f68ecd8802f1b05579e66
SHA512 a732cd3a71045f455aba5e9877b314a60c51f9423c499847369fc282802af25822758fab2326247324926db7ca780749bd5f815e11bfddad6a27d561f1d8f5db

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.exe

MD5 7c851ef588e74a6d2dbcce2cdb456daf
SHA1 e36c0a4b0881e9640e385469c52273897411a475
SHA256 1204a688994d75b2721ade7189afd966d40f2160ea84aff30487279cece88274
SHA512 052f2d149874e59e26131c5460595014397e1f7cf942c4cb369087a9b42d67d5081088c8b428db0460f04f2fdd9b4f3b83cf6e208b5cf98b710bbe154c88826e

C:\Users\Admin\AppData\Local\Temp\YcEM.exe

MD5 20f67e7a2566ebbc22fa89d3e8b18b1b
SHA1 d557dde31479214d924032a61ff3ea9760c19302
SHA256 caf3f3874e2579e6c5c4d758997020a7ccbe5d6113ff8bab524ac24911e30367
SHA512 737b9846f03ab39baee788f5f6bd00522864b2f9f450b6ece8e7803bbb13dcb5fad61eff4ccc80e3e13fc7ea5e4b915ac0403e3e926f9ba1ad77caa28eb0c9cc

C:\Users\Admin\AppData\Local\Temp\yIko.exe

MD5 bf102eb3028ab5ac88e4074d8a7077bf
SHA1 2dfb60d75654069bb6d21932265bcdeca3d1b71c
SHA256 373895d9593a5a9d8ea0f5035c380eb2c0bd5f6afc87eb3ad163c337277d1190
SHA512 7820b19b727cc57cb449413188cfec97d301ff88e26e9ad3b2549cdfafe8d24f794883b525cedbb3ace75ff11b08073b460d561ccb597672cf488feb72680cd0

C:\Users\Admin\AppData\Local\Temp\CwQG.exe

MD5 b42010d9548d13cb33c3a917b2458de1
SHA1 92ef2c6051eebed34944fa07dc13275cf71dc146
SHA256 4b16557503cc7af8e41a9fc600d9fa71f506bee0c5e043666ee527667202d03f
SHA512 98c309d9daf26909f8f7a74f6c39c378d24064c0e3b1bf47db5bd9b1b5ff3257c9aafc6bceac80082f42978347b703a97d0f7c683007908a388aaed8a7d63308

C:\Users\Admin\AppData\Local\Temp\SEQa.exe

MD5 80e007ef7f1d14f4d194569dff2a6c9f
SHA1 7a33d1e2d835b88fe70ca32df7dbdcacf6ba2bd7
SHA256 89ed75ecaace03f53a989ddce70ce3a2b60a07d81bf06d479dc6fcf2ff5ea6d8
SHA512 9d735eae4f1af0905e066e5a003a163a8385eb8be6f0466caefc9a63f43f5a27e7b5a54bb896cad97a89ea1029cc49b0c2a676621777dfea8747b834246156fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.exe

MD5 7f53450da90e9160943c8c6026e4b035
SHA1 9c0620864dd92994cf1b7cf49cb1fbf0146f8778
SHA256 e8c77ab8113f4d2354beb248cfc8b29e1ca39f6b1c958d6b3d2db0c0449eb8d5
SHA512 b6d5af21351764e0331c3d60ccb6dec5837a4ddc84ebca5f9b74582247620b28a5da128ad0c5baf4452b7898c16191e98b7a0d809e4c2607b62edfa79a231ead

C:\Users\Admin\AppData\Local\Temp\oQIs.exe

MD5 f76b2cf00132be146b7f73fbc73b973c
SHA1 57fc541442f87cbe188b35166b432d367071390c
SHA256 da4e45cb59ecca38e08dc83c712dde2aa81115e926e1bdb373a50b3e4342e0c2
SHA512 7476d92c7fb4fce86afd328a5f2493721b15c389d4c34520bd8aac0e3502429dd7db8990cb92afac76d5a21e5656cf37501bb8ae6fb71e7fe9f26b9ce12979ae

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

MD5 a21c955a5ba2261d67b40cc1b1df6bf4
SHA1 0801e2e8b3289cda4d81f10a9bf5ab7ed631fdd0
SHA256 732a2f60ffb85b2709b2bb5564ca4741528361440a5a3e790470e9c682215105
SHA512 178199f00279bfff6f775e13a1b633f0ebb9e87d79f782870faea02c725f1417417d99d57c278c6f402b3dab4b4767b4052597cafe70f4df0e06054c949498db

C:\Users\Admin\AppData\Local\Temp\oegAIsQU.bat

MD5 1694fcd7e1c1f38c1a5f22d69bbf38c7
SHA1 26d4be46b4ff324c3157fa13511b4c376aee7764
SHA256 7da819141fc71e420f727b7e1bbbc9b26d5e16316ba2c513c631d81c1431103c
SHA512 58aa714c5bad240bed8c83cd4f88471d9437b9cb8217e52bd9604211ddbe2bf95467a4b2d8923e2b6e84a0ccb78dc3291f54fe4b8af4160e6fedc9a55e949957

C:\Users\Admin\AppData\Local\Temp\EgYE.exe

MD5 787a3d513ff85cd07e46b5be46bea2cd
SHA1 3c089f860416faf81120ecc9795067a0f71a8651
SHA256 201760b615bd671f0e83aa345afa538e314c9cc617ad70833e6718e50da607ac
SHA512 55a44a1205b22f1469f3419e039b588f5de2e0b190fd5cf164a2849ec0da6210a9c69b2017061ab6f902492ac71ab24d93db3c63234043561f7d4a97824a5303

C:\Users\Admin\AppData\Local\Temp\yMoo.exe

MD5 3c1fe44e7b2d68b6047b8d62ace3afa2
SHA1 8107a512070556635e598aed93f5f3647e78dbf4
SHA256 95908aa26fae350bfe549fa585169ac0f3f8edfd8e6539bf6b140ff3a7318df5
SHA512 eb575ef0d981be4780a1e0dc47ac384bd4e085637f4aa7edf2b6ed92f514e7b372b3d472546faff9f022deaaf8761930f3b0c9c298f4614d72464f1b7966aa69

C:\Users\Admin\AppData\Local\Temp\UwUu.exe

MD5 6f3fc65bafd2235bfc16d6f466daa382
SHA1 1e9b2240192f69cb85fc31f609747a9e74ba9c01
SHA256 aa7087a1ecdb07d1a624f497a17882650c4e5a598422dda214bc8e30321e3e60
SHA512 d601939031dbb7e345b77cd01d667931c63802d58dce1016438ccfb45a54d99d043af6fb5b40bcadf705b22c513a724fc389592a74f3f137ba86aa482658d5ad

C:\Users\Admin\AppData\Local\Temp\qUoi.exe

MD5 ef05d62266048b9e069b6e2c8ac26da0
SHA1 ed1f99cb1754ebb3105dc315925c52b8dfff2025
SHA256 8cf6b0925badc0d607556b63beae5fab7e6b17f142b3814a34fd6359f9eaf9da
SHA512 bae274e0262542d1a5cad926e07a097e029e4174d6a8a15bf1909191603ae7efad07d0484c2cce19ec90f88d65f19afbc609c8ca17754aa7c36340f0dea5ce01

C:\Users\Admin\AppData\Local\Temp\gYYM.exe

MD5 05d261b331bba9f46c28151bef0ee530
SHA1 def75a3e5201873f9410acae6d23c69096f08270
SHA256 2e5ce4eaa37a0eced0f0f5403391d763a89de8568e348025cdb7733533710ea0
SHA512 005f189bf2c661935481c801838251b826bb9740894d0f52d24b8a914fa110666c262430faa07edaffb640048a8fe9737d2cf85c18ee63618b8b0f4766ef20a5

C:\Users\Admin\AppData\Local\Temp\GwYu.exe

MD5 e06b53d4543e7893915fd4a71bbd48d7
SHA1 3ff3867f2c04f3a64eb1fb2c7bf781c2f6a0cb4e
SHA256 b3cf3065a8d57307883f0afc3d6c789a0863124a2dd5134357e7abf10326db05
SHA512 5bc77fd5f6c79f7dee674fa2659e72f85b4f384b746c20be7030198268ead2766797f6bc14f9e6c17af53d35b8b853454aae735af3da5848e0d2c441597a47e3

C:\Users\Admin\AppData\Local\Temp\bsEYgAkM.bat

MD5 83eb039c2967823b92cf0e33193e953d
SHA1 1f1d56ad0f63c1395ed2896ddb1ca1790de36c1e
SHA256 0dae6a0c1d74228ef98b5d10c53d3b6a62c72f392d0d3e992b736c3bd51c20af
SHA512 0d4e7ccf6a0d362b58669ec8584b69a43cefa45023675ce5450e52c7172def2e36bb48540dbffb7d34563f5a4c2a603531922c83ec86035ab6281d90851ef811

C:\Users\Admin\AppData\Local\Temp\qcEk.exe

MD5 7e8fff99a74f27d6753de82f3cd52bb8
SHA1 d204f1811f78fbe5936b0f49ce26f80eee30ce18
SHA256 3c9e439ad41bfbf58295e2bcc54561bd207d80ca4c0ef866a87b3a40f72be701
SHA512 f1d2983877fe641b7be3a0743b51fdc3de86c5241086a61182ccd88f8eacf3acf905131edfc47913bb3aff359645eb60fb4cc05641f3b8a93b51d85bddcdc1b6

C:\Users\Admin\AppData\Local\Temp\oUYa.exe

MD5 ffdfdabd8b73cf4218f46e30e8ebceaf
SHA1 941a258e43998a28311eac44f281f06410e44773
SHA256 1d74d1a9ce0e1ebdcaf1057ee25ee9bea36a3a2194d3923d35f8b5fec9c95cc3
SHA512 952157265a6c1b880361d089d4866b76c2f758281b5661d9984633807acc4e1551fef4d29dd00401dcc16a94f6e1a7a62a33e161fecf813de8da11b9bfef73e9

C:\Users\Admin\AppData\Local\Temp\GEwg.exe

MD5 48a9fb130272dcc13ad9578d606bb2b2
SHA1 6dbcb03ad5a935f05513f8e62cb9fbb2fb60bf10
SHA256 4343e2d2a66784184492f9d8eeaba130926b47ed7aabdfa9e09dd61f15ba79ad
SHA512 d567e3218fbc216995b257ca10b4697d5af2d32e93f9795cd6060a79bd77ef5d76669fceace1bf86c7a5a560060b9af0bd3918f9383fc7a7302b94ce9991f7dd

C:\Users\Admin\AppData\Local\Temp\IsUq.exe

MD5 22a4d021908588bf127034f68fdebeb3
SHA1 cc3feabc6f61889cde8b245d81f9499d182f2b8d
SHA256 7d215e516769b71e019d6cc87201766806bd5619ef5da6a33c10aeb5e91f6be7
SHA512 bd7d577900469f1f1cbe1b429ea0b13594e9970eb376a4bb4861b91306f87a2cd3d75283756fcaad1207056724700bc171baa37be20ea2e99c13de8c3ef785d3

C:\Users\Admin\AppData\Local\Temp\uIUO.exe

MD5 2d8dc1d65a1c1fe5c0216199f3efb272
SHA1 fbcebcde039b6f04e9fa2bcd8ba70f9acf09d232
SHA256 89e9a64fea3be0e409d712a96b8d6df87b13c9c3c40a157a5542c203fb6981f0
SHA512 196dbfc27d48516b55deda63e2b9d015c6ec0a7b3e73bc60751c068a5651b0d606dbca8c280b182b128b80fced9506778a2c363d1c9cb0bd317fdb8b204023f7

C:\Users\Admin\AppData\Local\Temp\QkEc.exe

MD5 27c13c3f01c9501637be0852afc9891b
SHA1 5daf7b06dab2631ee90ac55cec7fd53058e72365
SHA256 01ee5f16868afe348ab11553733b9a8b03ad4fa8a326555120919d310295ded3
SHA512 371a681fe0603a760fbfc3e3f718891b67bbabdfcfea6a19cb104c9ed48641d2c015ba50c264a56e5b97e25eb94a1d651e4d26646f708f1e78872049b6ca1c99

C:\Users\Admin\AppData\Local\Temp\WsMu.exe

MD5 d08b9c59aff0dd99a60878e9818f1ca2
SHA1 3c3474cc74a9b293557abbff460a35f04c24682f
SHA256 8d9276225f5c860c207f6295c758a85b42fbfc4a4d02446d48e2224e2cffd59c
SHA512 eaf007480677f9e37907860f3a4f1423f08108fa4be98ce49e282875ed8221015a6bcae7dac3941d41909e12467c374490ada6c6f4103506f8f241d5390f3ecf

C:\Users\Admin\AppData\Local\Temp\jgAcEcIE.bat

MD5 10610cf91dffbdf72e3eeae88ad03d23
SHA1 57ec6b22ce55dc64162071966f522207a294819f
SHA256 c386a35a20652466b8ac11da618fbd32c1c260c97b2a69cc0efcbdf5b4d208d9
SHA512 9641805a61f7c550d974ab83e21c79d52dfb2cc786c935389c8b64c81fb008936b9e7075709fe22f9cdc2dcf520b5161e426eba42ff981c1cf640bacc4ec1784

C:\Users\Admin\AppData\Local\Temp\yowm.exe

MD5 0b245fe5243769edf4002e1ab1a97aed
SHA1 a5328da4f1695582455aa72d562c21a08414abdf
SHA256 280282c2c17e0338762256d9ae8eee3fab74ba7e1ec62e12d55e2ff95d4db260
SHA512 dc2d1d313cbb14e8f1e150d5032206da5abf7353b950c5edfeb9931b85a6a1c8606e2150fc20005332fd14859c71d013fa4b060bfd2be311cbd91d8b7aa7f219

C:\Users\Admin\AppData\Local\Temp\kYQg.exe

MD5 3d02ac58e55363f70e16c339e5ccd687
SHA1 9571f2095c19a2e39209790641675c7fca02395e
SHA256 21d83dbb50a19ce3409f7fd29bb9b637b47719ebc225317d3a7b86e27166e6c4
SHA512 64562df3612d36997675ec2873617859b821542ffc9071219489181d87274c7d7e92a7bcdd211472b0839ec45540da8e26ff0db9f35fa17bdce3562fb2f487b6

C:\Users\Admin\AppData\Local\Temp\OYIe.exe

MD5 5b4643c41923bb2072765b7158254be6
SHA1 5c9a890cfd055eb8054302bea8faa5da97627f26
SHA256 0a176132b2c6897f753c726c34ae9a198a4a22ee087b019348e869456931a030
SHA512 58222d612d1aa9e042b4d5f14628a586ad62c4d1b77ce8dc2d21bd0c7c0990d06a024d4445414a9a7f66fecf3cd6d61dab47115e9d0b2b1555e680a83b22663d

C:\Users\Admin\AppData\Local\Temp\iIMe.exe

MD5 0ad6244b34431eb40507253209cd9888
SHA1 5fed44d358e5ae24d5f7fba8fbc9a2ffe7d643e5
SHA256 c9e153ae51079cb74af7f2bbd632ef89fd14b5d209531ee59870eac4f450eb33
SHA512 a2243827cb63659ce9f9ec02b14037880b653dd3513da8d64b646dbea4869bab0b95576d14ef706255f8b50acfc5801ead38d60c2d4835fafaf8ce118d9b74f0

C:\Users\Admin\AppData\Local\Temp\AMIe.exe

MD5 258e872b64a3139445d81d8bfc52d479
SHA1 b50d54e6b692583bd68fb2dbbf02061644ba806a
SHA256 98bec4e414eb42e0aee6cceec8b6f4054c619b767026ad5218f2c49f127f2726
SHA512 11c0c117aed4ae9d442d1698d99b91c6211131f7417708c6fca273d6467ca6904df190e7004921a4ed17892db5dc5defae9a36671847c8f657bc7761bce09d03

C:\Users\Admin\AppData\Local\Temp\Awki.exe

MD5 79602a43e8d91caef5e2e9ed8c3c8333
SHA1 48496e0aa9912642fe22a48d648d09ef61e6bc66
SHA256 c5741527926952056c0423940e42bca4d64d1488c2cb6fa68cd38aef204cb9b3
SHA512 ce79929a863d621722238f23dde43b63eb9fb8a85290b1ea9dc78b0090ab74aa92e0ff30b81e39d1a2dc891608da6b4b9c6549c04d79fa3871722f58caae5d1a

C:\Users\Admin\AppData\Local\Temp\AoEM.ico

MD5 31b08fa4eec93140c129459a1f6fee05
SHA1 2398072762bb4d85c43b0753eebf4c4db093614f
SHA256 bb4db0f860a9999628e7d43a3cfc5cd51774553937702b4e84fb24f224bc92e6
SHA512 818a0e07a99a12be2114873298363894b3567d71e6aa9ce8b4a24c3b1bb92247450148f9b73386a8144635080be9bb99a713f7ba99cb74f8e82d01234000074d

C:\Users\Admin\AppData\Local\Temp\qgUy.exe

MD5 32b326ae534ff4dca7f12a4afef76eaa
SHA1 fab6e66bffeecd04ff586df07912e5c03848b728
SHA256 7142ab15371c5b6ec3a590537929c9c8aed238c3841735328e88e08ed7a8ef0d
SHA512 e3712aad7db2035ca0d656a5fdb3ff2da095054fe068c62340130b822c75840f7bf53cf3265e6cbb8ad12a7453ee0cf16664ba321d7c983dcf2ccde760fca814

C:\Users\Admin\AppData\Local\Temp\EGIg.ico

MD5 8e03abdaa3016247fdd755b7130384bc
SHA1 08dd2d9541e1961b06957fe9a19ce83aeff51a5d
SHA256 42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8
SHA512 e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

C:\Users\Admin\AppData\Local\Temp\AoUs.exe

MD5 1bb0281f6d0aa3dc31b7a8f91d296e7f
SHA1 e4ae7db794e9a94b0cb435f5fded517712f54f39
SHA256 4a4a7570401c37ead46bbde425b180b443f5e952891351a7678ade6495fb8d1e
SHA512 1b50cb02584f09643e88f9b1c0cab64f9a30f9d11cde90fb5b862638b81ae83e173efebb17a809f22197feb4f376ea79c4866b97b93f36a9ee8649cdf2513796

C:\Users\Admin\AppData\Local\Temp\qoMy.exe

MD5 9122980efdd9d84c50671c51d5a11a64
SHA1 2a2c0edde7baa07ea55a655a37285370c19f55ec
SHA256 0be13a35fb332b9b0a9806778f8b9862b329910629b986f2979d3976194f6758
SHA512 263973decd42c3c3f76b08ed5e57fed0167f1c5a08a5336df3a6eebd34192b472989181a362cc7459b8d21c8cbe66659849866fcc055af9599c5a25a8442abaa

C:\Users\Admin\AppData\Local\Temp\AsIs.exe

MD5 4bd39677fe080ade6533370652c426c0
SHA1 a4f5cc9402f333f66a69ebfce614d9e9c4516d1e
SHA256 73c5d4652f76704c52b9bb8b4773c4634ba28035d8e7ffc8d2c5789a22ec88af
SHA512 4115a7a1881f4a933b4e43cabac41462322be2531f8be53f01579dc2be488f460b0df0621dc351c1b2b1a69ed20a31601c4a2fb2026c24198c80e697f718bb0f

C:\Users\Admin\AppData\Local\Temp\gEEm.exe

MD5 1bea7b7b51f65763751bdc2eb09e2191
SHA1 78eaa5a9ba563f2b2fb3e731c4d4ab7abf268302
SHA256 e0ebeabc724d642d19b5ecab659e0c19a38e6631140c9d7d4723c0253dc934d2
SHA512 300246111f0188a2cee232b30bc5e7af284c21e8ac7080897d72ced11dba9f6ac78b19cdbb2f64f11e1bce20622610ef5687a4091c03a23039bcaaa5c0441719

C:\Users\Admin\AppData\Local\Temp\uMMu.exe

MD5 319077026d25e6f88c680e745b5bd8f3
SHA1 203d2fd7d69b645424e7ea4b573cb6b19a71cebb
SHA256 59d0b1042deacc59fc6c0b1136898b1b59bd2ba9bcbc2c27a4d282bb2c4d8f9b
SHA512 dd68cd2aab4ae6ee7f92ad99b9fb024fd0fa179e9601df4a702d67bdfd8b572ce1fd94abd57bd4b28c2e05187789f0d500a474bc5eab294c96d6298ebad56646

C:\Users\Admin\AppData\Local\Temp\GEcW.exe

MD5 8688403c164aa2cb3e24683cae1903dd
SHA1 eb101bb9debc6c129bace17df55ae3c1805599e1
SHA256 a41b2bc8b28cfd844811f8d5651cf8189c3310694a195e0966e651367a3247fe
SHA512 6f56bfdf07c1e57481926dc0be57059146bc5f2dd35f59dd41ff4c59d70991de563e2c952aa56d892b00bcde29858f6f5c7a8f15b7f55d5905803b2b6abb3b3c

C:\Users\Admin\AppData\Local\Temp\ukQg.exe

MD5 456edf39bf3946762f29e8d367735253
SHA1 ae6454a6cccb03af559e8588f2437db4f522118e
SHA256 50f70dac4e0d90973ef1fcd880f5fc3dbf4ae92c08e9962b38995de0b2eefdf7
SHA512 14929451300b25c7868b770b0b97fc57e398927b729caddbcca168f7a2c41f224779ebafd18e222de1a9f7a0bddecbb2b66a13adea2ffe1b0b795cb127822861

C:\Users\Admin\AppData\Local\Temp\QsYE.exe

MD5 245ea94aeb9736eeec038abeee0462cd
SHA1 433a25d87b286882ba886cf5067fdeaa3f9b83b1
SHA256 b184be7d01d57f114ef3f992bbeeb19ba889ae93d2def303f039be1c02c52b77
SHA512 e588359ff3e1ce6f40f72aef1f3fc1825b073ed0655b8fe9303b25f9ecf397e8f2af9edf395513792e50632eab2f33be04e13f27ed261cdfefb0a81e22bd05bb

C:\Users\Admin\AppData\Local\Temp\dgQocsUE.bat

MD5 d875c95004a774a42327c14ed86516e4
SHA1 29ef7335c92d7ebf1a5cc7fcf550ae3c3ff180cc
SHA256 19e64de95cbf2bda3e77901d9dc8b5c9b27499f09e9101fd8ed2b51f1984f252
SHA512 d180e44b134fa3792116e5ca967e1927fa5f0f0a2fc2154cc3aa71a81f32542b894ad0d7c11cb131d763711252e86ee6773dc8ca1a76e492f13ddf7f7e995e89

C:\Users\Admin\AppData\Local\Temp\GEsA.exe

MD5 e4d4f6e485efc94554c02adcda2e936b
SHA1 45e6f616c83673715c9271249429f0c062e90bb8
SHA256 29817484e7cb2a8a330f76a3ce97a0c6973c91540197583383b4cbbf81d79aee
SHA512 9b04488c5d50ca858549a40541f2b29722edfb39ec424d00cfeba9252bcc9d9a097e98727249df9bcea5d2c946e309ae5b3661d7718415c5ba082b5c76f63c64

C:\Users\Admin\AppData\Local\Temp\UwYU.exe

MD5 87a6d085c968486fd7a61849818a5213
SHA1 d697bdacbd2931fcacade9ab66debb781abff362
SHA256 b0bd4153113d5540e11cc78e9426291c3c89919927932cabc800b54126fc0a8f
SHA512 4edf86b43069fffbbd7fe3f32e7b4c9df18b98750318ea9d070c0c8b9be998cc1df8d99407f346f5bdb9945116ac5e4f743714e4f3e3215bf57088ca0671d5f0

C:\Users\Admin\AppData\Local\Temp\ocQo.exe

MD5 e9a2d6fcb34ef362fbe5dc5c02960e67
SHA1 680e3fa5010a3fd975813208f4eb3e5768bc7f10
SHA256 76d94401ed8a23319000049dd4cf0f5b7d525b6c14f5325dcdad16045972fcf9
SHA512 33a0c5702aa01e4dad602671aa9bc0fcf88757a1e5f6e7f55612362488fbe9039934d2c5cea98b2e480f2a7e8c75f441ac9064617e10e26fbe4ffb86baec9594

C:\Users\Admin\AppData\Local\Temp\UgIe.exe

MD5 faead82eb5130838926d49c35dcd6354
SHA1 eba93c8a993e779ba02e5d49f529918e4aa82b5e
SHA256 3fda1af91112bcd153de3593a8690abc8adbd43025c5e02bb0bd1dddacc2a9ad
SHA512 1187b3570b3a4e526c6f2f2da8700e9c2452c7e0022f0680343f6950c654b219606b660c169fb976a5aa534fda1deb98020e446e30871fb644512b905dc18966

C:\Users\Admin\AppData\Local\Temp\gAky.exe

MD5 2af8d8fbc343142376fb32933096ba78
SHA1 a9ea1eae0954d7d37bcedbe15137d29ddef00664
SHA256 1334b30d415af43e38eaa53964143845532b690a8a16ca8c2e048f676e74da09
SHA512 355fe67cab6d08a5f6236a0468a466e1ffb1d6c9d400500c68010178c6d1e956589edb742ab44665d3ca7f04bc6985911f85b11f91c044de5382c3508202aa42

C:\Users\Admin\AppData\Local\Temp\GgMk.exe

MD5 88e4c77277ad704af56669eecb2e12fb
SHA1 b2f0d43d0efc4c5f222f93f5121e29274370f194
SHA256 6993afb34af3a2963ced4277061e296aa74c6b575f22ba4ff8822e3da852466b
SHA512 b0d154ef55bfb6d323ebf2db8fe68dc33c5cebbccaddf255ee959305694e5bb3e87d6083ffe8ba8694729263ccd561b074cc45538afa6ca9501bc1c599ca5c35

C:\Users\Admin\AppData\Local\Temp\qUMU.exe

MD5 df268b0bef1236cd1b03111014a867cd
SHA1 dc56fcd2c85f9b8888a47ea9292bc5f90d440650
SHA256 68c10d3e9f14e6d289d8dc5a8dce2a97762a2636207ba631744eb066a7a5f349
SHA512 dd56e5816703d59768fa6e52ed5e189e2ab272d8b62b4d17375a8aef30c12708f6dabbe1d97914fe66ac7085cd2a203319179ee8a5a549328ee3b97ccaeeaf30

C:\Users\Admin\AppData\Local\Temp\Gscu.exe

MD5 15b39c85da3389a2d05fcf35692fa2be
SHA1 807d08aecb1fc830f267ab17acfd057df9a02549
SHA256 830cef6139620b8e769fbabe7d93d5268cb24c1bda783cc84750a3cdd047c6eb
SHA512 871f5fc59fc59b4d0901bcdb26ca51c6d7affcf5914056c98599faf99455cd33138c77634b1036561ec21b516059e73658ddd5e7d32022d59b2ed68e76ab3998

C:\Users\Admin\AppData\Local\Temp\CIMg.exe

MD5 44b0aa059527784e3acf59cfc61a4ef2
SHA1 e86e2df75db5c9bdec8108e918dedeb0c1c4f76c
SHA256 45150e8734e8da93727702f8a3d46f98b72179295c317b85ec669802c3d62f76
SHA512 5fd78280ea226b1a65b9c02bf0db43c38fdb3cc3121b11aec9f6be67095c462d40c6550ce9a65a1a29e7b89bf748e3adde9ad3fbbd30e83419e4b4e5a673f294

C:\Users\Admin\AppData\Local\Temp\GUYq.exe

MD5 b18fc4f59a9d9658c6a5be687d902e16
SHA1 f4685a7e5eb14f14bc3ceb720a012fecb11befcc
SHA256 bcfc09e7aad1e1014d78981bda68cbee93e192cd468442139d2126f60f14651c
SHA512 6b948ddfe2c0ce5c45b7e05d3ad63418510cf9fcaf7f429ed59c3c8a117c43c82f397fbc2b9d12b88f6f1eb0956a4922afa6aef50ed0e2a988ad6a5059b2f2c3

C:\Users\Admin\AppData\Local\Temp\QEgg.exe

MD5 c6549f32bb2b9b886364295a1b3a097e
SHA1 979301525f0810a63d7e695ce8a33bc280e158ba
SHA256 52fa73df86167d94f5e9f559df26308804a1d82c9482ec439fb362032bdd5b12
SHA512 a1a848c3976923f88154e487998029fb762f008cf7bbb2a1e5b2a1df4ab68728a6e5ee93ad030bfefb8da431648ed234aaa1b31787d4063626c6c9cbcb2e9266

C:\Users\Admin\AppData\Local\Temp\QQAa.exe

MD5 fd69e076b1d9c8cecd0e593b0695efed
SHA1 e0afcf2f109de96c62fb29813df47ae9ed31820c
SHA256 d5481e8771d304df69c3eef4addcecebe1a9a9f6ff79cf3ca5c1932e971bf6c3
SHA512 6b8b41293abe72d2e1d2494680f11a8dddd62cc59ad7141ec851dd3404981b7e868805a1e116b3edbc56ba2d0a0f37f66272e518d2bd4b8b13c067404b189eae

C:\Users\Admin\AppData\Local\Temp\MwkI.exe

MD5 c69e800d6be8fa7dbcae96b48ccade62
SHA1 9ef43dab27ebfed654e2585c31b952bebc09bb49
SHA256 701c83cb777c2b514dc0af364189b1ecd95307126e6a9f8f92da8a2d5b4c2a8d
SHA512 e293c9926ff7a9f6f59dd43ba7861ef8f04931fd3eb898a5df422b04f60548d88db628c31ed58c891675b13207d3ce465165456a7bfa529cfd7cfb4ab0342904

C:\Users\Admin\AppData\Local\Temp\IAoS.exe

MD5 01c649b6888f25a46a7bceb7ccfc6da0
SHA1 20a6bfde79791f6819d4b827e50ab1c4d02576c3
SHA256 e031df97a6f425502a235bc130037187f6a5469fd3baaf249d5f392701eb0ae1
SHA512 4de9ce57509007904e8106a133f60bddbe3ca7ff2f38439c7f763bec2aad6b0568e8794891dc6a92236aef3026c303d854bc633f133c5ff5fe736a442fdb223c

C:\Users\Admin\AppData\Local\Temp\Uksu.exe

MD5 0231a72e01606c72d5e88234d9325d1e
SHA1 74de2a1a9fbb7df31e17ea18494d8168dfc8acee
SHA256 9f8cf41f361485d0be33aead7a44046e68808e2a5eadd550863933197440e927
SHA512 84e0c16c337ce3e92b0d28a1c4b593c204128b7479143a597d3ef3ee5f45f7569f68965ee3761b79cfe1360e25b56ff57edde9be7009017e3cba2a4ca1548404

C:\Users\Admin\AppData\Local\Temp\yMIg.exe

MD5 5389e34b3422585108ab5283b4ad9769
SHA1 9a1b4fb8761557340beb0d33c7c9203f8d2d0fdc
SHA256 2b939c355eea8035d856fad88cb7e71ac4d05691add09f3707368686b70827e5
SHA512 f947be7e756ba8fc3d68b2f7b2a820941683fbd57cc7d1f30b8904b45689d52add1cd382554b1f07c5dd52fac14136eadf1f2192966bcd427d784080fcdb79ca

C:\Users\Admin\AppData\Local\Temp\ioQE.exe

MD5 a6b2d460f51b5db6dda0c9df5108c088
SHA1 eb56d67cea27f813ceae6eb3d26bf2c8278c625e
SHA256 5b9a9f75ed428b46ccb14c41844dadf4a94d6ad2d18b9750564a62b7bc98a795
SHA512 23a2fe5ac66daec9e34be67b8b8dd1c4042ad3588dc8eae1daefc3b38bf04f2447f948f14258c38b5b079ffcf5c5036929bbaeb091c338862164a9cf3887f9b5

C:\Users\Admin\AppData\Local\Temp\agYEkYAk.bat

MD5 e28a24d45de460321801f592cac14e9a
SHA1 28a93b26964a5cec0e3a5d567e29ca7b951bdedc
SHA256 2a7e89982302c80fde339616c54fcbc099ac1e7220335ccdfe76bcb52d19961b
SHA512 88e10156e9214af80d897cf33293c35f88e5b067ad18375cf75534cccca421b537265caea6ac05e005fd6c09092b57440ce3e678683206ad7c15724e5622336b

C:\Users\Admin\AppData\Local\Temp\qKoY.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\eiAU.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\MoQS.exe

MD5 eb9d050c35d31da2e01e0fa1fd98dae8
SHA1 7d98e2bba410df23caffc9645f58b8d4dacef43a
SHA256 1dc68ddc5aff7bfa4a41352021a94491d141a0fba8b2d1a9a3b5cfbd5b5cef2e
SHA512 977d9c4e65c8a9f5f5fb5c766a1222872e701d88dda2548bb7f193aae4d5f20c87df01129f2d5a719ca14376d4214465918502577f2110e1bc2dea38bc3021d4

C:\Users\Admin\AppData\Local\Temp\wkcW.exe

MD5 7fb07da0b4e11ae410c27fa33ceca3ae
SHA1 ff59e6785376d247e76f7c711a90652836a951fb
SHA256 7d9146cf129a12a3013c9b3b5ad7bdfce5bced644c701aa0b79a507753677e45
SHA512 c1fbf9f1d98eb69e73ce22e1533cd9377498b22fbc31aa04ce6f72da2a1b0475cf302c3424e11815c4f8f3c2a0184d5739206dadefde142d2fd1638ac868b971

C:\Users\Admin\AppData\Local\Temp\QIAe.exe

MD5 17882ed0295d38a781989899cab15b94
SHA1 c90468d6dd9402100d2e5299734d9f1a3176b55b
SHA256 877d482dba8c568b3e2f191c35ffea2089d385f7049fd902e6ccfa955954b8c6
SHA512 514748db63d590fb3affa0c000ff39e141b40397a75f5b20394ea4ecdc4676918d4de66af1662f067a37d8ae686c7b07cfa744c9e9639304d61449f96d2efa26

C:\Users\Admin\AppData\Local\Temp\CSMAMMIk.bat

MD5 cebae4b4714a04db9bcd6fba8d4115d9
SHA1 905a660da683245c9e6db8772342baf04c1855ea
SHA256 49efd5077ee4aebc6098740852c0a83b5f9f598f7d01b923da5052a9f03ec0d9
SHA512 421abb41507c9af823a95b171493fca03e965cfeb0c2bcd6dbd4f653606141bc9d9844a11962e3efb0d6088506506a691f7d46700d9f233356b7ff16128bfd14

C:\Users\Admin\AppData\Local\Temp\cEAE.exe

MD5 a5afd882de64b8789491771c27be6499
SHA1 f57cbad949f73259abe82413db539ba52361b6d5
SHA256 98b788ef628ea64e92c0d10d76086452a4e0de123cad74437f765c39c3311c39
SHA512 780c61e6c310b14c2beb13725ac1c7c43fe85f8a810e66ba046e10d793781abecb098a5b848cdce442840741bf213555e433a6aa8c1e074c12e72fad5c40b0b7

C:\Users\Admin\AppData\Local\Temp\Ggoo.exe

MD5 49dc34d81a3e7478a21dfa1bd8aee483
SHA1 9844108df9fb8a5f19b2847d43094ad9b1d83168
SHA256 ac9ce074e37f70e9c4458f8df3034825a55f38755c69e5742e7f8c6db84e7c2e
SHA512 5689d3bb66f1b0889fdcdc722107671b8da96c11b5cf68e5baad1f560937de3bef035ca83036c86671bbe9dfbfa8c7fce7039a335a34dd0f6dfded9f2faad02a

C:\Users\Admin\AppData\Local\Temp\SQAY.exe

MD5 d118ab85d11d0b604a256f8d1d40b261
SHA1 f33ee126b6ccf40f279fea5e05bf85caf6311790
SHA256 64b3625b449df727189e3116e35b7897fa6b348244fed96d912af832c98c2269
SHA512 03fbde4487811f2e67721aa1b502d36cf97f74033ff87c3a323803a764de692fabc660f425a92a9f009054054df5c40f95edf830179830fba3c459ebee8672f4

C:\Users\Admin\AppData\Local\Temp\OYwc.exe

MD5 3cc15243ad442794e833f91f84f4f988
SHA1 765189ee285343b0dd2db9ac9770f3c5c8015675
SHA256 4a15dd5ac19f0182b3fd67e3583716e422b20b220d766b1995db7dfb419ada32
SHA512 341f9606e6e9f3d6b231eac21b3a21ad5b43288595cde49df84572bc3b9684ecdcac74ebe297d6cea2eb106b0b4ff3061183be653dd19e5de2351cb620804f8f

C:\Users\Admin\AppData\Local\Temp\CAsK.exe

MD5 2efbb91547edba9166c3c671ae60bae3
SHA1 ab9ed219b2f3ffb0b46968f0070856c34e64b0f3
SHA256 9d52abfdb12087eac713b4ce4e275d604cc61f87e60c7d1b2cc61ab579940acd
SHA512 57cc850e54e9fc7880dcf3d14f800c79938fce567a2c4c117abd2e4b137ec1939de14e83895c1d849207a2c0d7db23b97f6b52d919639448d4b55ac5e579bc0d

C:\Users\Admin\AppData\Local\Temp\UAwm.exe

MD5 f3ebeadd0c5f1b602f193076c0b592f2
SHA1 635c245ab92a270b40f2556380f40e93de4aa09b
SHA256 6930fad64300e377e2c7da9e7f37879a661d6f57cbb04b2446f250e7e15e270d
SHA512 0f16e565aaecadd805be8fc66aa67f5b6e9f710bc1db28f65dbd7c4e6120a987d5a758d59f5504c99c95e765d939afbcf354b4edf9e9b4e0a479d1ac5a346960

C:\Users\Admin\AppData\Local\Temp\SUUo.exe

MD5 06bd7f3cacba4dbcda382ae0581f7599
SHA1 0439a2f00b30ac66845d95f38cb1f1b49ca23400
SHA256 b941fca483e65bbee2f7488b327a23aa71c978961167e7b8266e491089b02e33
SHA512 6c28b5e305b6b75760aa079e31264ec88085003ab0bcf25471f6f32d36507f9b47397073da7dcdd7c75f687962919277d3d6d0bf296a53cbe7aefb18664706fd

C:\Users\Admin\AppData\Local\Temp\sAMY.exe

MD5 dee0636f3f73958762c5f3625b9e6b7e
SHA1 adfcbbddb5439f9b525851f6add63bab9391f637
SHA256 f056f0dccac5a3f5884862a1e48db7d5a40f4ee5b29f28b3bc51f2e3f816568d
SHA512 9e5f398e652723b358c3c1a8035e7a63a6743a2afbc1fb34c8be66bdbf52fa3d183f03d3c17412adff6f118afcfe46aa7ad08370dd8ba247a1ad9ea8d879bf0e

C:\Users\Admin\AppData\Local\Temp\IMce.exe

MD5 7d635ec1305ca362846582f8f10a0652
SHA1 576f965dee63b24fc7f64453bce1b7b8f2c8cb58
SHA256 e9c1aacbb9f88e7ba0762c6bd23f5dc865a9d2c3b1a63f464952b40d63e33072
SHA512 59eac01c4b7d0f319be3dd88f8037338e128542b2b7024f96d1807088f3eaed279ba2a16874e293b5b34c234e91f8c51747efcdb068f688a36ac4647ed93aefc

C:\Users\Admin\AppData\Local\Temp\CMYs.exe

MD5 527eb5dd19324fdc5e98a9efa4963e68
SHA1 62a5c4317091215bf173157f966a2156e81cadce
SHA256 145f9bbea8ce60bbedb552f54b996722868e3f06ffbbd1cc7953ad2d61d5af52
SHA512 ba271570bced82a97062e5fbe9a9adc2f39ca614d1c3aa7125341103bc49b4a69691bb08f8b77980a32435f29385926a6a59c370db7d50ffdcf03678d0384c96

C:\Users\Admin\AppData\Local\Temp\jUcEgoAg.bat

MD5 27abd33f01035a2d443325a7eace1b57
SHA1 960e6903d20405957549898e8ff13a536e1e2279
SHA256 d172e7ad705c35588b52035d2d4949338a52b2b00b58f9f9387d66016fda6c51
SHA512 e6521a0b5feee5c46f4627a5affca77f7660a8b2b8042939dfefe884ab88ceb48a04eb2a5fe912b90d02797dabf5d1704a5609018410bf27abe058b7c2cc4bd8

C:\Users\Admin\AppData\Local\Temp\coYQ.exe

MD5 46327c44e052cc29398fc9ec16fd981f
SHA1 172869d124c92dbdcd7a4d5d1a767b25ad456cd3
SHA256 7602b7821cc202958ad05578182400cf17bdc4636244b6d62f3797131a20ed81
SHA512 379a8d353a1db662c2a21d20500183578c3392c30a6c048b1bcb4b8d58879ba9dd0446c08312f292a6d1f03b888b83496f16c766d4189c8aae84ff9563f54510

C:\Users\Admin\AppData\Local\Temp\QUsq.exe

MD5 f947de31858e07c04bec0ba493dd2aa8
SHA1 6c97113e55c0d161c0447209455580e66d595645
SHA256 bf11a94950aec05207da02a3929935404677b23d97ed85f14248064ddc93ac62
SHA512 d5070e4f44f1c1b32edeceec8752bc19a0d05f1c9d491199d69d7003e2c0c6189240b30b57874401a37f8eff666f2c5048aa703d19118e95770a889093b1328a

memory/2912-2366-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eAkQ.exe

MD5 99050cb75a76db22a872f74ef51cde7d
SHA1 c122b6ec50ffc893d272668dd13d4e992fea37d7
SHA256 b84bc1bcc6f50894d45db739f54291450cd2dc788c834ff8b4e93d99337bb298
SHA512 208e552c5555f6619febcb0338afea6ed7b89c22213762f5f7ff8c5be1675ba82964055ad769deba35e765cb31f6988432bb1b3950a1918889b52f9771a8bf4e

C:\Users\Admin\AppData\Local\Temp\oEcs.exe

MD5 e386441e8f4bd70c90ced8ab3d42d555
SHA1 1d7d32e33665f5649a7f35a665af78f7d3441c93
SHA256 d05f8e13898dcabeecab160822e410150ebdfee88dedcdc0595617c2d505dc54
SHA512 141fe80b5522dbdd01025463fd731990c71def41bc83cc0dbd944d1f86f02fe3daf4780f92cf01fcf03b3d342657ca07c01b8550f34a2d863175ba63f1f3e46b

C:\Users\Admin\AppData\Local\Temp\mcEs.exe

MD5 6d4952fffb6b926167ada5500997e696
SHA1 ae749375411c5b06d42e3b19f46a364bd3a43587
SHA256 5bc8e2dec9a9a9639c60e912d568d28d1259b54a337578c8ada4950dffc99295
SHA512 26f81ed08c42d8d8f4e4a6664fc4eb28151b17b0e7793123504457750cff62c774dbdbb41ab27d84fee3109b5b65b62aa09a430f94b12fc22593e3dbb4fd5799

C:\Users\Admin\AppData\Local\Temp\EwMC.exe

MD5 1776657a64071843d492391dc73a83bc
SHA1 8023639ad6117966b1fcbc82319145e7b3d2f7ad
SHA256 6388d83688144e413dbace2c6488f4f1ded0573ec9881a12e844c5ad67acb4e6
SHA512 53f7cc241bd31023d2ef0103d8baaf95428b9b69d1d67062b40a554459ced4d3fa7b3d92fd0f842a5a82ad74464cd1a0f74ce00c82e13157979a5590982273b7

C:\Users\Admin\AppData\Local\Temp\UIcK.exe

MD5 de3f593efc6b16927a26ff7527e84d48
SHA1 ee2d2141ccaa729f065a25e3c09b234a920ed1f4
SHA256 90ffa14f21405b971461fb99dc12735413bfd95cb749e9f43146439ca3403479
SHA512 1302cb41056abc441d0ec30e2cdb1f44493244f7f4038a526224ad9861455f6cb428171ddc0b3eccfbed1d7ecfc456a081f2ec423f7dadce22a75d73a230c1bf

C:\Users\Admin\AppData\Local\Temp\iQEo.exe

MD5 04ad7d8dbb8526058253b072b67eb567
SHA1 a9bc033b87666fdd9116328e78a037eef90a0163
SHA256 711f66fcfc20f92b6f433931f7cf804ece39084182ad935aa20641fdc2ab6f15
SHA512 9be7eab5c99aa2815ffecf2b987269f113208a161e4ff245618b03061d9ab7c5cfea4b17f13fd5084a9d6d4cd194565f8f05209b707f517d4df03121b8450bf7

C:\Users\Admin\AppData\Local\Temp\eIYM.exe

MD5 be9999aeebe535a5b2d491ac890c3788
SHA1 95b00381693f65e65f80c44d4381bd8abcac73e8
SHA256 c441451d6b989a1a304c0b35875daa406da24418c498cc10b3c7df060cb0eb4e
SHA512 cab08fa12abab5fe8057a138e766669bfd2d211bbeccb7fa6359977f0bba4792bc3437600b7e2b48d8eaa0970506c7e89681923996ca865f4c0b1852491f8ecf

C:\Users\Admin\AppData\Local\Temp\MMMA.exe

MD5 ea9b82afef664f1358be639466c9c0b8
SHA1 0fc88455d4079e7cfcc2aa7c5be0424c33a5318e
SHA256 dad49ae3f8a98d038845d7fa4290701dd5df1998b10756e428b38baa544cc22c
SHA512 0320f98ff260b4106bf94015a0bf2fd171b29f784316ceebf86b13b22c1a364233f9e4a4860543323a71de82327a51650d42d65e845d505c129b85542457c614

C:\Users\Admin\AppData\Local\Temp\cEMu.exe

MD5 b1312bd832605923ba535ba7322ba530
SHA1 46aed60c78852fb2fbb001d83567670315e4806f
SHA256 7ca4ae865b412112d013e69a54b7eed398c740e24de11be71883a90c6650f593
SHA512 b2f3cd424faaa5e64f13495d628a26325aa0d1f478df349cfa7fa2e3a90131bd5744280600352883bfc6f638c8a2b209e21edff786f259bd936e44818e88f76c

C:\Users\Admin\AppData\Local\Temp\vQYwsMAk.bat

MD5 828886c6f5e579bafb35e0f6ca44e9dd
SHA1 1848549df07fdf97f198ca12e6af079b488a44f5
SHA256 bcf5ac135a62847b505ceca9205b891c4d745eb9e3a71a5c2624234dbd832bdc
SHA512 5f2db59797bdbd277e7d62f5a99eaf0fc4244bafdbc437a5238835598c89bf7a207b813e4150ac53d647390bcebb004bf7fd2697e9615650a064e704c75da92c

C:\Users\Admin\AppData\Local\Temp\cQUW.exe

MD5 63cc594d4b1681c7e3ee4c99cc345460
SHA1 3bb1bbbd7b32f41f978dcc0ba5d9f26f9eb9dca2
SHA256 75eaf581c7bb2df0e4466e7a33a266f1ca20f526df0c3a6e1b0b93e0481e3c92
SHA512 916208f9b36a58b8c6e69b90295858911928b1bdc147f0af6855a426c8e6caa0e5c16c85c2a44a5fb2085b485e859f06f4661d6b79283dd03f18226ef4a3be85

C:\Users\Admin\AppData\Local\Temp\wQIo.exe

MD5 f5ff4a8a342a0d5bb7cf42ea7612ec3b
SHA1 9beb2fa9749ea24ce3a00ce11f7c3d75baaa4e6c
SHA256 d644bfae6d500f67331515133ecbf556dd43b33c51a949216007eb9900953570
SHA512 d43e7c05fd4b8109065f9c7f8c4f1c1a496e810350958d1daeae818bd1f403366bbad8f69fa9c12d791b5e802a69d88ec7e861c791962641a9b60b596794b774

C:\Users\Admin\AppData\Local\Temp\cwow.exe

MD5 0ac878484b70cc380e3aaec402039d71
SHA1 6d9afe3564b6045e7e76e9b3c4eec1bfc590292d
SHA256 f554843df781f463adcc3e497982ddd96c41a6450ade96c552bcc838dbd1620b
SHA512 3e41c8e3d9f7a843e34469558ed1129c357f8bddd2e6376ef1d7bf29f4b6ebc60f53a247e75fd6a1dd0d2ed63a1ac53b3d665555853a7b618da38a12082674e7

C:\Users\Admin\AppData\Local\Temp\esUM.exe

MD5 b0c2b42cc50985b17cae0a0c8b698f0d
SHA1 c992aa58749d9c42bb1a0101518a9845c654412f
SHA256 3a5839de11a89d29f67e3c8ef09da8f44cc0db04ed0cb879962e2d8519efa2f0
SHA512 d5f44e46c2b326db8e83ef9a24b223ccdb5df7030a1dd686d09fa272a87efa5daa8188dc1342d03a5eeb4eca5af1d39b72c2100f79076a22ed0fa7d82cfa06d3

C:\Users\Admin\AppData\Local\Temp\qQgG.exe

MD5 daef8933194abee047699f110e6f297a
SHA1 c783c970aaf5fe4acb01666110b187461f7bc378
SHA256 1bdfeb73f6a341203cdab15e4b017a32900b37cf49bdf710ccfc42a0f51f9f38
SHA512 85910bc522dd8dd7c6116aaff14f0d21a199a7179d0f69e4e9f2134d8e7e2ffe81d336fffca92e2e54a96f66410eeb4e49a2a103eac6a59df5d57d450c194e98

C:\Users\Admin\AppData\Local\Temp\cIUC.exe

MD5 e227e2f9f91e94d4182e350f3a6c6bfe
SHA1 dbc2c37714d558f1df3f26456a66e286c01d5118
SHA256 032f32d975072cca180cf598d4840ad2e73fed4f7815d54b18b2fd27e8f06706
SHA512 0e5cf38913f6db883a82afe91e9fe9994c82fb86d21115415bc75cde092aaf476f542aeea3e1af52202ca8ee7631c9834ebe198c7b4c22b7e983fd54b6a07f61

C:\Users\Admin\AppData\Local\Temp\okUO.exe

MD5 a2b95605957c1ff67c6d1f60b6b3463f
SHA1 a0422fd333ce5fbdf29cd1326d55691264c7f191
SHA256 8e5b7bad6228202557cbf2e719b25bd7f6427d1845c3837969fa4c09dbf20f3b
SHA512 14d488931a3bca4972a924ead95cb6f02132357490b6f042c9f1d205d37f6e00cc0e2d449ee4449970cc8b4e9b75f085b2485c2fd2e761e3fb02918eb06509ee

C:\Users\Admin\AppData\Local\Temp\igMO.exe

MD5 192e11b4b87c934e25a16c46ae96840e
SHA1 d7281623a19254b4de49ccc8b9935b5eebb224d5
SHA256 67ff192c068394c6b8381a106f175f6ee24485b01e87d2d89ed0acc80cde167c
SHA512 817e961b3ee44683482e97043f35a99d0f5bf1e33d65b6c84e5b3b0cdff6add175543da9d578c7c1cdfcf810fe7a94e89ecc2d75fb6b46d8e90b3289c45a34e0

C:\Users\Admin\AppData\Local\Temp\MCEs.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\QksC.exe

MD5 7e520a131fbba253d73c7b0e3e218574
SHA1 fd83734714c241ce4c2cfc541e1d6f93cc362db4
SHA256 140a520d2f6b16bdb5cf623ad6a686cd80481d915bf3f3bdf78b687185e6c6a7
SHA512 5fafbb1fcc8fd441b14d6a509fbb2ab83561bfa84b551fd7ccc42bd89e2771a4cd6f03f1b12af6307db816e287eb40493a9b34315176608890eae07d67e5d71e

C:\Users\Admin\AppData\Local\Temp\dEMsgAso.bat

MD5 6a7de8485a8b2a84f0aff5a8fa7cdffa
SHA1 e0765aeb84401e3f8794dd664ed81c4bca4a571d
SHA256 00933a6919274df7affa06284ddee22c5ba5700f965d5172ecfccba56b4e7bb6
SHA512 ffa162498250fd96cff9f7d1a7583b2adb9ca2dccdddf40a34cb8228cb22889fac07d5f8e3203b988474f0826e30fba105d0d31508ed986c5d0785002359e241

C:\Users\Admin\AppData\Local\Temp\AoMu.exe

MD5 c129f1deb62bdf9d01d30328da66a00d
SHA1 bb2b970baef881d6683d0a71270d52ca1a929acc
SHA256 0b283b06388b32d05affd1b809126c1d8da884062933571399f6d07cd99b28dd
SHA512 49cdfacd826fe78a5cdfa29b6325e15246d5bc36905017032517396c8c1273346bb90fa8ba6ddadbaf4c820e3b86c15d4c79de24ca4ff9f11031402f951a7c3b

C:\Users\Admin\AppData\Local\Temp\ksMa.exe

MD5 53e962ca041979e90d84eed3f28f085e
SHA1 e61c74de84c11905209a4b8117ba903cfb449534
SHA256 622ede49455d90bd125bdbd0dd232cbeb7b356d88ff311176f04036ba81542c5
SHA512 ab6cf38472898f969d7f0c122d4911a4255d7e0c5e33d20359e997165109a3bb18b10c335104eb1c41b3faf6d61fff437dfe7e8ae20d5e9b85fdcdb6c7d02bb5

C:\Users\Admin\AppData\Local\Temp\cEkY.exe

MD5 2039dbe7cd00a0504d71023b4cea6184
SHA1 2da61ec6ca491025b32b880e299e64907d264db8
SHA256 35c22ecb7a28f70fe9262b8dfb495996411a74b255dc4e689df4760e9edb3834
SHA512 9451ab49e3aade40b8273229c647dc29cd32e78df3260dcd37e7dac3ed7deee10c778de4df1d327cda96733a74799f249fc941a37be01c56f56fe390f515dd5d

C:\Users\Admin\AppData\Local\Temp\WYAQ.exe

MD5 78c4f79d3e50bb7c6d6978584caf158d
SHA1 2944e14bba44a6b21b465a810bb4e530d881cfbf
SHA256 84f397fe6767c4d3a4062f763c76e5dc8cebeacd7279261d52fd894578224f2b
SHA512 3bc6db6897bae4b6633c3cfc57ec8862d0cebea4b462a00c20446f42d35bf3673968e40b05ea8a7f555ff6d4307983912edb883d57cae98de63a254c704464d7

C:\Users\Admin\AppData\Local\Temp\csoW.exe

MD5 13ec3f1151508dd48707846f1ad7da32
SHA1 ad0ec70dc1c94a787872e302d8ed00a15c074742
SHA256 ad6d65aed392477248d934d4d46f9370569c35217365939fb4189cf4ecf47e55
SHA512 ebe1f359a7bea8481006b2d99febf01e754e01e5b491f82ab00a33c2b81a438fc79c4f22e6dc3fac01c33ff8050b353126bd1d59e060570942a807d04638f75a

C:\Users\Admin\AppData\Local\Temp\ygsS.exe

MD5 3d5ff4d0094bf7647fe4c4825a3657f9
SHA1 9904eca3d775343bd16fb41a8187a529b21301d3
SHA256 9cbee2867222004e0690bbbec85eaa46c3580bf1298c9ae0b63bda74a3803d46
SHA512 cc2c88442351a863907b0821eabd58dd1b63f77555608450d3592fd9cb7126d973ef385e13a64d1245272370c98a4689b3e691f3887e7b99809170c184610804

C:\Users\Admin\AppData\Local\Temp\WEgA.exe

MD5 45f4ed420c174b9cd32c5a5e76f0b4a4
SHA1 929194273689ddb244336c8371b59e650a4ca5f7
SHA256 a97817e6ced617fc3c8d901aabbfd6bd389ffffd0646c02d504399b4e03fa714
SHA512 00261b43f33eda8c5517eb1d26580da153b47029260ce769431bd6cf02d076bf2d3d19a95ebfe170e2d7a2b225a17f3e4f700a6d1bbf24c34a213109734020ad

C:\Users\Admin\AppData\Local\Temp\eYAg.exe

MD5 15a8e6c335c92d392cd68105b535fabf
SHA1 aa4cf6c2129711d2d80f2cd0e9e23df87091c6fa
SHA256 a4c62f6969649e27e7ae43cde942f3185bdcaaefbacd4bbfc2f3be04bd5bcff6
SHA512 aa900df385b74663fae6481d708250982b32538db85536cadea51d3c77db9a1efaa9ab8377da244cd8410d5a0d75a5752017154d9a6b47b3b172907c360a325c

C:\Users\Admin\AppData\Local\Temp\yMYi.exe

MD5 35f8553651ca0c180bbb7bbdbb937797
SHA1 b054b4a74c3b127b91d9a9678297211e8250a640
SHA256 84891136d45906794580b1e7e2517c98a0b88ce35c58c7c788bd7a811d6a7b44
SHA512 9a7311e5182142d85305b3c6c425711ce7f314db18c36783c8522480362b81fa58a2222eaee9d2ff16ac57f2c88f8fa60be85a4a2a7aeec662eda87d51caf532

C:\Users\Admin\AppData\Local\Temp\sOkwAAMo.bat

MD5 21a96e7a3b2434572399839a2854ed18
SHA1 3d4b27d43ea1061018890fd875ce4e53e8b371e8
SHA256 02ea6d3cec52ac6164e4653cc01da3de540734cc223fb8fa413042e7fffba084
SHA512 f56df6b488ac08d6407b439d750b3a4cc1115de22fa36346d4096baec24bff4d0b7cbbd0bc08e1f6849060351728c6fa06b596912c0de0eba3abcb7135f8157f

C:\Users\Admin\AppData\Local\Temp\MEEAsIUg.bat

MD5 17f58a5e8b6de6c983942e11ca4bf71c
SHA1 e21dc82310613787ae7e6557b3d1032d25619d30
SHA256 cce5d748d05f554b80996b30affde00a87af2ee88f69d74f7f836105e46719b2
SHA512 da708e7f78b9c57f123ff8b68d068da36d6591308f4b37d5f0920fbc69f64847b3cf5dadc01423411322f5ea7539c1a385759ceb56efbc2925db09fa6109d200

C:\Users\Admin\AppData\Local\Temp\eeUIkEMs.bat

MD5 4b6e51f308aa4bedd4bb1eb4525e0bfe
SHA1 4f2aeb9b57e313fab268bd4b4d9cf89d7a602b32
SHA256 329a283e30088f9d3cb018973f2091adb467eab79bb89c293fc9eb00c1b699de
SHA512 4b4bef6fc01eb7441175cc80e2a8d7f713363a289c5c63ac6cb419cd74e5a00efdcec34d9c24b122b77a843c4394bcb39f60399218535e1be9fc9e3e679fe7ba

C:\Users\Admin\AppData\Local\Temp\uSMsgcAI.bat

MD5 65e0b16a21b201df51e57de5099326c5
SHA1 6448f264e68cfa5125db01705348e08f4445a975
SHA256 762c4f905b7fe2f291e066929b3b86bbf1478d489799702962e2b8e9d27d7ac9
SHA512 3e857e1a4b1a75f02f479b7d80d27df5f029ae0f9f035ca016a67d8253c6b7ef1dc2257cf494e3834187974efdb2556b9e45d105607b9a10b04b3f5a85b0a2ad

C:\Users\Admin\AppData\Local\Temp\HCMwgUMQ.bat

MD5 45e72b8b13d7468241042f872fb19ac2
SHA1 cf20432079251c0951dc084c6e963a8e6c579536
SHA256 b4716a1cf79d15d0420b9e4caaefd667900951a68625f37112b03350b485fcef
SHA512 7d2e5b407f1d4d583f25a521e34fbe8bbaff315df00e43b27157489df4c0505406faacd25a6c835abb509ced5e2a35b3e12c11f46f2bc3bc921600120cb544af

C:\Users\Admin\AppData\Local\Temp\jwYksoAw.bat

MD5 8ac7903f1ffefdd91c5dec9b1a5ca55b
SHA1 f81e8a8309937bee37c5400a4c534f3537683417
SHA256 78cc9fddd2925fcbc0213a3e15cbb0ffadc9f397c18493cf524979bd66427f9c
SHA512 2d1ba6e7899f019c49961a125bfcf46583332af9afe19e5e0de826e8dbdb0d4bb104c886ef37c9729b8ad44f3c265bf56e590ddc7e95c8132c94d1141b714bfb

C:\Users\Admin\AppData\Local\Temp\XIkkcsYw.bat

MD5 9e9311d025943b51cfdb4cd9aaa3ba3b
SHA1 4b78e5b1b7e29185a3a376d42ecc0aad9e233ade
SHA256 7239627d16b2628e15fe9ec73f0f412dae7f49e7056ec636817dcb560bcfe2fe
SHA512 99db014888f16f804322eba033e5ba685bce6ea4ab04b5430cd933a5ba589e2cdbd5db6035b09387c5035ff38f734aa9cdddec77a950a1ebda74fb08a3d91456

C:\Users\Admin\AppData\Local\Temp\RYsQwwok.bat

MD5 38a6a213db16bd4df3f50ea6583f8960
SHA1 376d3c5bbf49c986baf51c7e45e29bffffa9a913
SHA256 d2dbd91df60ef9b9aa760a38c0ae06b79968b4a16f4de78fd4167adb76715232
SHA512 03fcf440bb3593b0898ce2e172499eaba4c75ca50815b4d94677c66cf1f639cc7044e6983ba606ff857b6abf0d8737111aa43f20f3be26243fe902d696235442

C:\Users\Admin\AppData\Local\Temp\WiQMkIAw.bat

MD5 ad217638394709a7313368441c99136f
SHA1 469b569af999cfead044c1cc5deb4e8922e98a57
SHA256 49e8d4e54387043fd6a678a55d9a8d7f4beaedafaa7a3b12ae759631abafc6bc
SHA512 b2c609a023a9648c44a60172360ca744d8f58f7b4384b5a69704df6f26216abba53aeb78c3351945354dca6f8304c4caf1068504aaf9671b6f7c2f62723a3df0

C:\Users\Admin\AppData\Local\Temp\ysQYswYk.bat

MD5 bde910f1afae34b8650e71ba3289ded8
SHA1 91b56d713c7fc33e45368273690f830621063f2b
SHA256 4f855e9ee83bc05159e5acc7862d0057f9eea7bd8e1cb0735342add6ca0706e0
SHA512 eeaf7a7e84c6d4a48d43aa0442434b539f21c642ddda5f63c4c9f6c948e71573cde062ed7ed122ad96c238038ac8c2f2d6606b8671779866bd0ce48c5c03e08d

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 21:15

Reported

2024-10-16 21:17

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (52) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\voIYkscA\aekwssgc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\ProgramData\rMUAkEAc\kskcIAAM.exe N/A
N/A N/A C:\ProgramData\TmgAIsIo\pkIgggwU.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aekwssgc.exe = "C:\\Users\\Admin\\voIYkscA\\aekwssgc.exe" C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kskcIAAM.exe = "C:\\ProgramData\\rMUAkEAc\\kskcIAAM.exe" C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aekwssgc.exe = "C:\\Users\\Admin\\voIYkscA\\aekwssgc.exe" C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kskcIAAM.exe = "C:\\ProgramData\\rMUAkEAc\\kskcIAAM.exe" C:\ProgramData\TmgAIsIo\pkIgggwU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kskcIAAM.exe = "C:\\ProgramData\\rMUAkEAc\\kskcIAAM.exe" C:\ProgramData\rMUAkEAc\kskcIAAM.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
File opened for modification C:\Windows\SysWOW64\sheExportBlock.xlsx C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
File opened for modification C:\Windows\SysWOW64\sheGrantOut.wma C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
File opened for modification C:\Windows\SysWOW64\sheSubmitExit.xlsb C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
File opened for modification C:\Windows\SysWOW64\sheTestConnect.rar C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
File opened for modification C:\Windows\SysWOW64\sheUnblockRepair.docx C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
File opened for modification C:\Windows\SysWOW64\sheWriteExpand.xlsx C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\voIYkscA C:\ProgramData\TmgAIsIo\pkIgggwU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\voIYkscA\aekwssgc C:\ProgramData\TmgAIsIo\pkIgggwU.exe N/A
File opened for modification C:\Windows\SysWOW64\sheLimitNew.ppt C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
File opened for modification C:\Windows\SysWOW64\shePushWrite.xlsx C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
File opened for modification C:\Windows\SysWOW64\sheSelectPush.docx C:\Users\Admin\voIYkscA\aekwssgc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A
N/A N/A C:\Users\Admin\voIYkscA\aekwssgc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 896 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Users\Admin\voIYkscA\aekwssgc.exe
PID 896 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Users\Admin\voIYkscA\aekwssgc.exe
PID 896 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Users\Admin\voIYkscA\aekwssgc.exe
PID 896 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\ProgramData\rMUAkEAc\kskcIAAM.exe
PID 896 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\ProgramData\rMUAkEAc\kskcIAAM.exe
PID 896 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\ProgramData\rMUAkEAc\kskcIAAM.exe
PID 896 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 3028 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 3028 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 896 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 896 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 896 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 896 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 896 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 896 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 896 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 896 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 896 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 224 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 2252 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 2252 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 224 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 224 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 224 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 224 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 224 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 224 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 224 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 224 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 224 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 224 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2064 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2064 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3244 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 4604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 4856 wrote to memory of 4604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 4856 wrote to memory of 4604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe
PID 3244 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3244 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3244 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3244 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3244 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3244 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3244 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3244 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3244 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe
PID 3244 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

"C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe"

C:\Users\Admin\voIYkscA\aekwssgc.exe

"C:\Users\Admin\voIYkscA\aekwssgc.exe"

C:\ProgramData\rMUAkEAc\kskcIAAM.exe

"C:\ProgramData\rMUAkEAc\kskcIAAM.exe"

C:\ProgramData\TmgAIsIo\pkIgggwU.exe

C:\ProgramData\TmgAIsIo\pkIgggwU.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmcEcAgg.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqgYoUMI.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcAgEMsg.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUMYAYEA.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIEMIMMo.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YUAMQogo.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEEscYgw.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckkEsIYc.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqIsscIE.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEEAQgQU.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKcUsEQI.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcYQEkMA.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwkgQUUo.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKcsIIMw.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgsUcQgA.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOIkYQEA.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\raYcEAkM.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aYMwsEwM.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQsAsYoM.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUAUcQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOwscEgw.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQIcYMIs.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOEYggos.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECkkEQEk.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKMggYEM.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCQwIwko.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqgokIQA.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEssAcYM.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMAoEYkM.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QoEEIoAw.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIIAAssU.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAoAkgsc.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYAYQokE.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGooAUMU.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nogMkgEI.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGUoEkAo.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYwAkosU.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCwQckIo.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VegUscsQ.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKwcAswg.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zuowMEUE.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mSEQwEgI.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwkoMAME.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QoYEkgAc.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmMscEAU.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiYokgAo.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boUEMksw.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOcMgEwc.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCEEkoMk.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YuIcEkYI.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCkYEcsA.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEAwYMwU.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwYwwIYo.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VSYMIowY.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGQAEUYc.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bMgUQoAg.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQcUAEkw.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGEQkwUY.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GqcgcAwg.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KAAwkgEs.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyQkMwcc.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DugwIAMs.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\joQMQIoE.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkswkokE.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOIgwkEM.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qeoMQAss.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YssgYgAU.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKYooIQo.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqYMskcA.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWQAgAIs.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\beoIkgQA.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkgwUUQM.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQgwAIQo.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYckcMcg.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TesYIgUk.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LocgAoww.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIQoIYQg.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkUgAQsI.bat" "C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c.exe

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/896-0-0x0000000000401000-0x000000000046B000-memory.dmp

C:\Users\Admin\voIYkscA\aekwssgc.exe

MD5 ee801acb539a57e31a8e9847648ef70d
SHA1 89f5a771b9c91139460dc44115597fd1ca613529
SHA256 bffdeeb6fada073c0a6cd229820c142f87ddf2a90e2f0204ce6438ab79816e7f
SHA512 30d6a31d04c25a3bd49f519542858070b563fd1f60ea4069a91b77e372ad26ca6dce8130989249c27f7d6302eb6e492a580829e215c3aec46f95744d2643c61d

memory/4176-8-0x0000000000400000-0x000000000046E000-memory.dmp

C:\ProgramData\rMUAkEAc\kskcIAAM.exe

MD5 96b61d01c83066141db4f51ba034f1d4
SHA1 6e1820266ad78938ec8e27219fecfb914340e2e6
SHA256 2c7f544fe2a2e185702a511b01a8fe1c98933d9e5ba7d629a6ef915be667df8a
SHA512 217b1b29e48808d2b5aaa001dc273f9fc6857e1f004e59aee8183a5ac01e3a82d9780dbd2a914d89624ceba683f47649592c23d83a9df2ff971536a2f73dd530

C:\ProgramData\TmgAIsIo\pkIgggwU.exe

MD5 c8d3d6a2bcf67882c2b3d669cb7665c4
SHA1 cb0def6fbb3821c23167c4eb65b106a7495019fc
SHA256 a474b59a03b12cbbe567e7369bb261bd7b3432f96db3857a31f854915ad4f909
SHA512 b65afb13992ecca20c004f7be76e0941460ab730b3dc4fdc800f04030b05e5f9b6b006baeafe96aba01debf51f90ab5418f40fc8ba093471adb1210b8721fe7f

C:\Users\Admin\AppData\Local\Temp\5e367b956bc2eecaf3588921dea47831f2fede3136f6a0a0bec34cccf57ac25c

MD5 4dbc9f9e6f5a08d299bac9e54df07694
SHA1 bb38f5de34b1e0be1109220ba55271087a4d9ea5
SHA256 91c2718dd23b4356d71f88f6146868369033291086df327534546dfa459beb0e
SHA512 a5f2b1f47502836130d8083f757b7773c1e1cb36b76ad298cc29ab2b428c8002d2f15bd839838fc326dac3681c2f48ab25a3e7631d33726c4b25e8ec14170912

C:\Users\Admin\AppData\Local\Temp\YmcEcAgg.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\occU.exe

MD5 5bcc98c93071ca56f25e2b0f4d8cb3c0
SHA1 873b336eb8dcce785694ec2ca62faea90ba7bf9b
SHA256 df5c7269a85976b1079f4122f27c0d73fb0e5e18ab3090998a841e9b05ee7a3f
SHA512 8de5b94d45b780c7fb44217ffc04e2971334144ec5f8ac73e4093cce5e546cdd3753ab92284a77ac49f14bf5f72c912d485bc1e04e8d9b0e50e8d807a3dfb81b

C:\Users\Admin\AppData\Local\Temp\uAMo.exe

MD5 41f3142d51201f2dbfa3ce71417a441a
SHA1 9bc3a08081f2473afa5298a6b0f01d09c1a3073a
SHA256 7335e0dad2975b255ad15fe0023800325f16f1be7e6263a797ba7197cd615ede
SHA512 6e5fb0c511fad18ed467bfc9859b26479c685a2407ab4e2a0b2adc19c4127ac0c62677885d924460b43e461b80cb740f226039a97fb075ac4c9bc0b4a22041e3

C:\Users\Admin\AppData\Local\Temp\KmYw.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\iAQS.exe

MD5 746344c5e0bfeb4af827e31a46d5b624
SHA1 c788207a2221ce3f3a7898aa71a0e5f75ccbea51
SHA256 e72f6454c722cd8d6541811fe5704ee05c4e52097956067ef0fb45ce1b065c58
SHA512 27603e5acc3889187ec74be15a9518c6cc3a6b874f8e751e669d56c2325b4546d3863b8016575925ad4a8ecb1755f522b119f4054f0a1ba786118461b7ad513e

C:\Users\Admin\AppData\Local\Temp\QgwY.exe

MD5 888f8e773f18518f243e980c55aa950b
SHA1 3b9acee56e25b1a6a2a71559ec5b55f643d3538c
SHA256 f82fb04af8f85d93acb7ed716aeab9027e4c5e1dead87273f60b8e0f0fe37eb9
SHA512 4348c3c6077162e81587f84281735938a2abe78382de722becf9c03b55824ffe0950d40b8e5b78964aa3d4d7209b530255fbbca363894117096a6cee066f3304

C:\Users\Admin\AppData\Local\Temp\oQka.exe

MD5 d2d49fb1c0cf7b3217561eadaefc7556
SHA1 2e35e71f774dd5d6922ae644eeab2d94300ce3d4
SHA256 272b29b572a7943e8f4df37620c3ed721c9adcebd372e5de77b8a4f688cf14d6
SHA512 d30aea260fcc9c9d5850fc27171c21b83881771b7be5d84eb48b531a39ea4a7362387a77393a78ea4ec9db29c48096c7ad081ab3a37ddf18a725e2b7f69c5fcf

C:\Users\Admin\AppData\Local\Temp\WUYW.exe

MD5 082f8f81b8c1459d1af33d79b03f4c61
SHA1 9e5022b6866c1232dc7922def6707e59b3c554db
SHA256 e90580a4286cd13d42eac383ae8b385657d7b170e0d9fd0e186466b3f2c3a6b3
SHA512 6b678e111decfa232996f46031e307167d2136035c9cc8c3418bcc2e07e30883b95d5f9675ae266ac23fb7982f63e052e71770d12cbe5bbc9507beb3011e6b00

memory/896-295-0x0000000000401000-0x000000000046B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uwMw.exe

MD5 51f7e8685d95cf9cdfff30e17fdd0a64
SHA1 6a4bf6b41db6ef125d235117ca1747a0caf7e50e
SHA256 1ca78635afb7d2941febd6e6b9cc465d812d14333b85238fd8d249fbeee08f9a
SHA512 4fd9f758598174dc45593469e32e7ef8286631378e00c8265e20d86fb4456d827ed5f99613b573c88c8f9163bba1f74f970ada39e4e469f2b61c6816df8e0303

C:\Users\Admin\AppData\Local\Temp\GQkA.exe

MD5 0a5f899e189faa592f9db4ba8b77c452
SHA1 6da2b02b0568c3cb01227d21766b013dcdb11dc9
SHA256 09ce6c213a4f3989fa5fb0454750718f4d5d22c62b7799b606a940d7265c1efb
SHA512 f3a2c8c888a2f6ddd8462ce5cbf50a5214ff4c28e4325afac433ff82fd87dca5395f2713e8c82513ac90d440f6b30d0dcd8a8c2b887e183c38c59d4588fb2adb

C:\Users\Admin\AppData\Local\Temp\QcYI.exe

MD5 3d1eabfda99d8888977da31fdebc21b4
SHA1 3dae5e0a0ef1f9b1f051e7305079858a5fb3bc77
SHA256 d893cca58683253962f937197c6bdef7277535938e16752eef654b16939d1c7f
SHA512 093d676cf6dd01465a604be9bcaf79ceaf9dccd51a9f69bb43a58fdbfa373e9d28c5c89907c7948c5ec4315e74024ea8b203f0753e240132437dbd9a422abf6b

C:\Users\Admin\AppData\Local\Temp\SUUY.exe

MD5 127eedb50f2641ec6ca9c9cd648cedce
SHA1 1e091162599a7287a369afd0a2d46aa66ab75d43
SHA256 2fb6cfb21ff78e09e10acca67c9fb3ee9108dfb4f0c26cba13b33ae7cca55c3b
SHA512 6752c136659b6f386e44de1e9957ea13b7da7fb7c943d76712378429f84f61da194ff8e2a110d51a711c206150927d3ebe54612e37fffd1f6ebb1e417182d3f0

C:\Users\Admin\AppData\Local\Temp\UQUM.exe

MD5 7670ce72044a1b2254b121a649b09057
SHA1 b7ed0f005cef26df9f1545cd29e573f012aef697
SHA256 988a0565baa95d9b3055916e038997f53d2452a840c13e53466bb2f274231400
SHA512 a7206902797e949c4a98a3e23ae73caff8c99b5cf0c9400a1038a4dbd72baa3109b511dcdec8f594815ea2c2347c0be1931d332b15ffa1a8e0ae67c7d85a04a0

C:\Users\Admin\AppData\Local\Temp\IYUc.exe

MD5 3d0d74388343f3c10190db1758a690bd
SHA1 d83e5a9f4abfd5f1a87d0b0cd8c714fb41824501
SHA256 bc7dc93de2d334a948cafcd34968f30ca4e59aa646b40760c041c55d7c73ced8
SHA512 d1b639a5912fc65ed6afbd10d647c11dbb72e13299ef25cc92b664144f28c7b314861930a940dcd705e3afa62ec9b27d337761c7f6b6bf80f243c37a357a4583

C:\Users\Admin\AppData\Local\Temp\cckU.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\oEgO.exe

MD5 d0a9d0eacbe2d3516ba0afc118e75215
SHA1 fd6b4d97b683293d98be4b2ed5bab2e0059e6872
SHA256 54ed3577c193c2840bafee8943bb255f767031a64aa962ebdb8375eaccf3d677
SHA512 1f15485a8f504019784337345b7a116644fb99495531b9c7251483320fae2b0a8b0ead19696e040b6591ebef622255290aa5071edd6b58daea6cae47628d9879

C:\Users\Admin\AppData\Local\Temp\akwM.exe

MD5 231199ec6344ab79652a3811e1e5edbc
SHA1 b71a1399197130074bcb06d17578dd07fe097525
SHA256 2475e69483f91743c30742fe0d88734042832b5d79796292f406039cc6397b06
SHA512 c36044c4c9992d143a4ab692b0eca8baa61cc1b19d2181510bcd58056684011454654f01d807923ea6a5906506216c1da62e65457fddb80218168ff91f9f5e33

C:\Users\Admin\AppData\Local\Temp\eocE.exe

MD5 08d24469857bdf2a48bd5c83d16514e3
SHA1 6d3b8080806ef5e2d63bbf0fda0b884961458a6e
SHA256 35296b73777bb7d5d8389c8f01bf40039d61b8850928c28f546db49a6cb51af8
SHA512 0fdcbf32844c13cfa2d4a62a2c3e339f41ed2cbb0073ff7db6566a454d0548167d94cd4253bbfef8585c0c5b65974386f1692b4d8a52aef27fc7fcf8040978dc

C:\Users\Admin\AppData\Local\Temp\mokw.exe

MD5 e63593336308d0c1ec25029716a2246d
SHA1 d432895a59559ade99b09e3f166818dc191377a2
SHA256 7907334f0ee6a615056c98c98494bd5d7a865b46660315504cdce47ed3598ab5
SHA512 778312e552d8e400c38ff6ec072ea79d6515a176949850c584e5b44b575e71c7f64eb94cac3f2bfb783f57f2072e3f05358fffd189b4006b87ed4f8602e2876c

C:\Users\Admin\AppData\Local\Temp\CAgE.exe

MD5 73c59f2f21ce1da1483796a006f356c4
SHA1 16f2663b45d598ab13b0cbd83184b2d79b32bb8e
SHA256 ddcc2285b6a551955235c8fb4a889ea9cef8e47cd58e4f8792e5f343c9dcd604
SHA512 e0a3d10c92bea963aeaa69ba2c418c8c2c83025c9c31957796914dada8e6c7d2af0c33cc978eed0a29a20b7d4e5c456f51639700aa8b2bcd8aab9c4a7c547582

C:\Users\Admin\AppData\Local\Temp\kssK.exe

MD5 7e91a7ee0ca7a8f03f2d8a10ecea51a7
SHA1 1bf55785164baa7edc0c77f5453a3537afcb0139
SHA256 0f701e7ea6e8f796b4399200e085663e329f2db03034f96f043045ba4e052c9d
SHA512 d6276d4c7c63c95190a81a2ad38729e84f7cb0998113aa82fffc136b0d8b4477650fe3f484a63eba306e4feab26796c8d0f6b5fad0ea5abc5446baa1defa043c

C:\Users\Admin\AppData\Local\Temp\ogwa.exe

MD5 3db10e7fd0e79f61e09688c90264d4c2
SHA1 2fab947033ae32022acadfe4b528e401a1db5e7c
SHA256 a2c86d70a6d7c6d70cdfc79bf417afc5a40309666f7aff9d530dbb7c59125c42
SHA512 994b0ab8545f239f2ef41c7755189cc26e1a6f4b1621462cb91b163a63f9493386368f05539f7df2487e4ae2d86456f5d6751082a1628b11ec447847e8a2a757

C:\Users\Admin\AppData\Local\Temp\YAQS.exe

MD5 3848bb5bf99d3c665b2ec65dda3977b8
SHA1 bfa67b6a9abcc4ee3f2944970fc34263798deadd
SHA256 047509dd1524059a91774fc012ed7976436c638c725e1b8ebcb9f2598b9e5943
SHA512 1b3afc0173148a6b3c86057bf687d7f41b24fb9b38da7abe5bf9b9ca1d7423496d30596fb3bb2fd2c9c12d29d574c070aca88b02f724cc479762138456625df2

C:\Users\Admin\AppData\Local\Temp\wAIY.exe

MD5 0f78f16d4d37a06a28f5374893a1ede2
SHA1 1da4b9b780eeb4f0e26099a08f3a37bf483256ed
SHA256 cd7cf24205707d533b300826f6a686cd4fe91f727943d4193ff4e1ee64ecdbdb
SHA512 99a3b9a5587d8186faca3c9308229edb989ebc491a20a9f8e9f81a775c6ec5113e2cfffbeeabe9db1e3a2a65dad7b8145a1389501f6c849b369b6cf8cecbab95

C:\Users\Admin\AppData\Local\Temp\QwoA.exe

MD5 8f40e667342c0873bc2ce8c853318048
SHA1 72eda74d0dbd26a78add6c32b0b8b7fd17b4434b
SHA256 a0a86b6f2a13379db4566d267b332b1ee7545fba0a7fdce7cd3c65406ca69d12
SHA512 f9aeff7a2f3b394d71f9cbf0f9ceff0b72682c9d40e808db967f7b5835ecf6049b9291c8cb5739508fd55bf310873877092a2c451a836b1de0f9b0351f1537ee

memory/4040-535-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CMYm.exe

MD5 44222f58d809b9da4d6e60c52753dda7
SHA1 4f835f25f747fd096cbac53e06988a540d647989
SHA256 d8e7a36c448642a616a23a03a256c751eef4d870d923cdad69ccf1ffeb9fb297
SHA512 9eab29f74c9f29f74c0121a34a0f659ae554a68eb4fe63844d58c5d474bd4a60d528e22f692e77af86d3e24020cd01e560c3c61a623609ac66ba242cb04d2c15

C:\Users\Admin\AppData\Local\Temp\OQcQ.exe

MD5 ce2f7497b46fad21397cddd8abd86aab
SHA1 239baf832283f6c88066d828de2de25fe1b41fd8
SHA256 cb84bd1c588123af3cd69c9e34bf03a8d649a5941d5acb40fbc90fa1388346ce
SHA512 0c64b9ce8a82d62b9eddd6014e9d690b9b35ca6bc8cb8661b7c2adeca7484c731c88651c6f8ba604d866fff228cf25cfe9ce43398c58ee3bf0434ac50122be28

C:\Users\Admin\AppData\Local\Temp\oUYU.exe

MD5 034f46b75f4b022aa2d7cd0b4ea5aaa2
SHA1 ecf8fa32fba45c52cc0dd902fd96510cae412fa3
SHA256 6b28e00845a639e35672b3b7a08d9dfe94cbd3bd84d43725e8a4cf16a1e2aa46
SHA512 e79d7c0dcdcfa6f13eaf2f0f1f2db7f040f805e173f7d884ae0fc3909acef44cfd39589b91cbb7bfebe4b17976373149f9dc38fa5531d3c76be83c07e942bd19

C:\Users\Admin\AppData\Local\Temp\Csky.exe

MD5 44f626390a4a11e4f2456b963410c3c1
SHA1 e8d71c6a99f962ad16daa25a592d5fa1c4f9fff3
SHA256 ad4ac8e1f3c12abe47a6d3b2932942fd65cf01a71a6d271cd81d6d5d26632279
SHA512 672e8964602c8f27faaef16f5b5e8378f1d69b4ce85657289a37170c00b07948c56778420aec28256cbae6605a3f1e87275887324439cf3e0cf4561cdffcb2a2

C:\Users\Admin\AppData\Local\Temp\WkIW.exe

MD5 d5b07c039e188d9e38568567cd2df21a
SHA1 548ceaee108e4a80b84a8a58a5ab3d09a95daa81
SHA256 374decc9187c208a734398ddd8a2814ae0de3a6ad83c6ebb3fb299b73d2943d9
SHA512 ecc643c65bc95c363be05cae1d3a4ea6f7d9d289cb930ccfc38871f0999ed4ba09e02e9c021b0f30101a7df4f6c04854863d4e4a5f7fca51ce6e6d28479ab49c

C:\Users\Admin\AppData\Local\Temp\Wokw.exe

MD5 a7ea4a6267fe7eb30c400c4e2f97cd96
SHA1 7d4acbb7c6c5d1c6880dc00de57c9f03d7a65c35
SHA256 e1036297757496b3d6dc4e0eeebdf53253d1cb3b2906df4d96c7c5349d4473e1
SHA512 6f9e28aae22997166400f28d7cdbd2fd7afb80b3399f6533fa3a33710da24d5b6804c5423cd228cf9f3c833a4b80c8f58492aa55eeac4608dc8adc4dd8856c20

C:\Users\Admin\AppData\Local\Temp\SEUW.exe

MD5 1049e11665d84fedb2f307056ffc67cd
SHA1 e204fdfb088b57915512f283bf9655b9abb782e0
SHA256 3b061da4d7c80544a288e692524a7746253a653683d5712b705cb5a985165faa
SHA512 3bb36bd04f0deae25bb76ec785fbabd54bfb5037b0fd291296365f2d8cc12b8f184bab8252bedbffeef327ac778bb23e690076583559f1188a00a9053eaddea9

C:\Users\Admin\AppData\Local\Temp\oAIc.exe

MD5 be78878b433642be14c821cf74ff5ee0
SHA1 cf5e0623226260a05dc8a190f5b9849694b7c996
SHA256 8e7b038781c93ed75e30ab5684fb90f0ca3a6dda250af960577fc9718857aba1
SHA512 2b9f1eb01f133b95b48a186a95561caf7148798c5d50967e484e82175aeb01d754d22179c52ef893b656f1f9b7b9b3b7bfe131a316253bcc0f0754960b96cbc1

C:\Users\Admin\AppData\Local\Temp\AYUM.exe

MD5 c2029af1c358436abcfb520573083b8c
SHA1 802edac1bf3e34d5fa3566c0ae43a8772283c94a
SHA256 e7b1bf4eab8eee3124e5d3789d0796a45843999cd428f031569632a3acaf0189
SHA512 b4191055cc3e67fe61dd195076627b104de756da5f14753127ccca5eb8e2e86818dd7e5c74867154e26cdf6400a1f154fa4bd82756af7ff36c5513450cf09aa4

C:\Users\Admin\AppData\Local\Temp\mMkg.exe

MD5 436512e1a21d013a3ac13b4a1901a0d9
SHA1 88c2fc3b26b9ac2a91c1fa094b5ab1e7ab487836
SHA256 90dbd61107dd849ad591febc005abe0b81f8959aececc0805750065b6d68c633
SHA512 3f863de78342c79e159772282c1303c51cc4c68505dfb072bd7aca350012dc321a208d204ac3a130a9d71c676c2176c5e430e073cf11d58ea5f569d48ceb73d3

C:\Users\Admin\AppData\Local\Temp\cQwO.exe

MD5 d52227e736582264cf31abdf486bf2a8
SHA1 0eb4b0ebc1e9b20d29aa5a2fb6da333d17cecc2d
SHA256 32ccb3cf2b60ba2e19815cdac014d3243762c5fb1c13d1c30858b4ea4740a8eb
SHA512 aaa486ab79e3fe9ef539be7df06c21dc9b8a11d364fa9692dabaaf07caa21bde501b7d3e38a61d746a11b873f5e110b73951abc7710cf4433847d9e0be291c5d

C:\Users\Admin\AppData\Local\Temp\oIIi.exe

MD5 4ffa7a49e1c584d1e3da7f19bed6f76f
SHA1 0575591d3c08bf92700a3974737c303c6632a159
SHA256 c8789428593166805e23e2422de3240066dd8317657108333e0a2dc47b46706e
SHA512 798761475db98481742b026e5c209d3fe05bc31325f722cc91682435260976d24b95e3f3e7aef5b8a8605eae9df9fac846ea4d3e61df06c3ae69fa48952191a1

C:\Users\Admin\AppData\Local\Temp\CsUe.exe

MD5 510a80b694f401c34aba5000e258a8f7
SHA1 7e19f0ecf9108b3777468a31cb865e7bcf6c5c7e
SHA256 94f7236a607449f2880d9e25e83a076b95830a85a8a992787e8fb7809e7ab175
SHA512 8fc8a978dbc0e05872d74ad85ad04a72cf195028f6000cc04a81305ac981cc6b68ec38f3c9039f266b7aa7e3c4dc810618aa970ddbb2287b89a7a2fe26dc0e9f

C:\Users\Admin\AppData\Local\Temp\sMoo.exe

MD5 5c90b83c39f1375164f4aa06842e567b
SHA1 f37522e1fb0bf1ca2c0b4676157395e801422a83
SHA256 2f2190027bd54c9b344852dd7a09f15d4565a22399266892d012e3e75dc8e69b
SHA512 43e97c314ed37f113bef9a0a3f9e7df30415d22f4b21f36a1f6894bdfe9edad2c360e88797025773cc2131fc9b4d1d1b94ee9e7fb0ac99258439c1ff6b71cb1c

C:\Users\Admin\AppData\Local\Temp\yYYS.exe

MD5 b36711c84dfaf5da1d83544ef3c61ac7
SHA1 8e0034511272ec9d23ed80ec3af210508298dbcf
SHA256 fd4c10d3abb2f224d47f7d7d9d2165227276689fa4f08741b3242c63c8b98c6b
SHA512 8601cf6ac4908171f7d88f61c52db2f680ffcfe9fae81ba5b1993df4f5813192ac83973ead82579716936abdc384986029fb6d4624e4e4a2a488fc1273a5ab54

C:\Users\Admin\AppData\Local\Temp\ysUY.exe

MD5 077404c56e07890693f9e40202cb2dc6
SHA1 3974d5cb39e0b13da2a277e18ff3bf70e928e74c
SHA256 3efa92e427caec239f78af2970e1331a36f51660a945725f020f702807f1da49
SHA512 9b8e559e57df27ada61e5934d7d1dbb05cd801851ab01a19f3ab4e5de4b0ff960e4f8825b730f0ff67c83ee95fa0080fb54f717d554ba328e82f3b767dac2c42

C:\Users\Admin\AppData\Local\Temp\kMAE.exe

MD5 068517c85c5eee002c9ff162e2f08689
SHA1 c4badf208dfef9b7455be9c4aaa8456ba15e5528
SHA256 b0c8342c54fc002652b7e4b95103d6bf9dee4e0b3a433a3e5b353982749367f8
SHA512 d7973349d37939bcfc821a363bfcd1e1cf3ba3b7dd2c6112dc124e5696e9d881f002036a75ef71a425a235ead351890e3f8dccce8f113b8951a57672d066c789

C:\Users\Admin\AppData\Local\Temp\gEII.exe

MD5 af33e980ba004695dd520e8255744c26
SHA1 1747a04863408f8512213e97caec4d07a504139a
SHA256 c5b447da644a7ea9924dd465771be3a6c656323b1901d35c17786f89c5a956cf
SHA512 634e1d880664bfd1139cfd5b9a2430e47c5f35cf0082663808921dff777587e9e7dd082ef82e8248ddee3f88c0680c28af3f63a553fc5d1b8127e608e995d4e5

C:\Users\Admin\AppData\Local\Temp\EYYK.exe

MD5 e349d82284fd622b6e9969d7ab90fce3
SHA1 950337e1d57d2243119b92d5150f4746aeea0524
SHA256 2579cb8fac6abb9e5a121480a4759bd600bd7614c9dede45c7d69f6367ab79f0
SHA512 daa1d15d2a11c87ff74ae3f8688ebf026a6b8f4d35a4c510432efcd3c3a0ca4aaae5dc4e365b1968f00a953308d7adb14f335b6fcd6f15be08e4aff9d0a5ea88

C:\Users\Admin\AppData\Local\Temp\eUgY.exe

MD5 ddc5896cbdf2ced54e583ae9f1e0f78e
SHA1 13438b937cd529d042fc39cae0cc71f1804e46dd
SHA256 0cc8fa03c2c2598c2641a45e3f2dd8eea16a6b1b11c63ae94ef955605e4ed6fc
SHA512 629db68b2b6feb78d1bcdfd3a0745fb2fa0457ff5d7aee7ffc4b38416e3ab5c648e1fb8ddc6fd306cf18c1283c63a2d1974b391bf28e8ad9089a50a5d6f19357

C:\Users\Admin\AppData\Local\Temp\cgEM.exe

MD5 f34f3722f4f4b1b790c724aacc52defb
SHA1 1f371039d4dc379dbcdcd9a61f70cdd33b82ca60
SHA256 a4d3624224fd41a45a73686b50ca5053e8c1878bcda72fffdfce836beba78271
SHA512 8bcf286aaa13e8734fea935cccecdd2883ea2b9da5252744f0f9d75033926c8dbd03fef1e9f40e8127ea2b63f77337440ab67747dec06ef02cad220b17c60582

C:\Users\Admin\AppData\Local\Temp\swoU.exe

MD5 ba68ef8b8c523cdddee33513dcec7c50
SHA1 cf9221dc10202cbaf594232e8ba251fe318da2de
SHA256 38d0f41ee6a6eeaad99b01de0b752bc33550f19ef3b7e2a2f06651b9edf0628e
SHA512 abdc950fe21d20dcda9ec99ec454cab29d0b10a1a8a83d1812b572e68cdaf0a606187942138660798eb5e891980d12c76fdbed38996fcda872afd77fdc0d17a0

C:\Users\Admin\AppData\Local\Temp\swAg.exe

MD5 666ca1fb7b8276735e18380693aac750
SHA1 7d6c5bd35fb4fd659a5ec3ef8eb565df11b0b505
SHA256 122e8ddfc73cbeab62d18a1f5b93ca80548e175dac66cc6022241f5734d1686f
SHA512 7e615065875b04c0afb49ea938a4b8af72ec58dd622785872ead804b0e9bb8c5b013a88872c9afec98cafe2eb6315a5ea787b573a33a5d953b7f011689452a93

C:\Users\Admin\AppData\Local\Temp\kgcG.exe

MD5 5c2e60d6a12ea71cb1b510050f08750c
SHA1 b4c84852d3713474250d3371b001ac939d1e10f4
SHA256 45345e8fcf8560987675e6246898b4e007b9b4e4c530d979e8103f6e2c268848
SHA512 24fe1f96fd5c40f3343035439399253d659173ca76f3d851db6d427ec600a37536f5f3934c0d2bb8b027cceb7b9d3d3865e862b12bee9090f41e46de107869fb

C:\Users\Admin\AppData\Local\Temp\MYsi.exe

MD5 f379b667ce0fc71838286cd163b59e19
SHA1 831fe8886bd87ab23ddeea9a69600e56bb25a07b
SHA256 fadada7e272a013935b20242e3718001d819a0a17c6a70a001585f82d1b49234
SHA512 75d85536fd945da34c725e057dfa8c09b4ff7af466671129749e0c9e78175c2c4e17ce56a9f1bb70a2ee84e2c36134004b7d9ed7a3f582efece9e72f0b7ee23a

C:\Users\Admin\AppData\Local\Temp\UsMK.exe

MD5 a37e7eb875d9f67e41d8553e3389ab52
SHA1 fa21574e39705d93347d25dbf70826ce5b559df4
SHA256 f8794dfc10e367ef6d81a06650d1a1797dab8f6e99e6ff75157a832595f58143
SHA512 02ec1db162ab47267192846ea00c2b0adf4704dcb5d41d1a803830961c526987aac0967fcf2d25004b332d963f741f1f54d90c5934b77d84ff5a04b49a881b62

C:\Users\Admin\AppData\Local\Temp\gcoK.exe

MD5 40a65643cb90582b99dc6cee1957d6e4
SHA1 bfc34beb17f65e7285a7f1166b9763b693a27f34
SHA256 acb629a623d32ed49b02b0e650fd9aeec49b095d69f0e0248e5a1ad57e7fdac0
SHA512 c3a1d2f69730532f330f19a5f1c82251b370a9dde674e3d75128c318d8fd492a8d93097f69dac5d2eb4d2e73a19656a80192e7195236bf182cdf364dd6d4f69d

C:\Users\Admin\AppData\Local\Temp\KQss.exe

MD5 47301d75c7cf1b5c858af6f95c9f6e0b
SHA1 0f002421c88cb706a567bd8df626a9c52df50feb
SHA256 75b077c6b6faf4af1712affc809aa8242ee675062dc3361cb4dc03458ce8d2db
SHA512 1adf0cbe4f789555f85826df6d8ff0b5d12c018b5a6c7b28d56f10f87bdef420c0ae7d85a04f5bc223ab670ab8b240b01635087303fd4431bc3c651db0a27181

C:\Users\Admin\AppData\Local\Temp\qgcs.exe

MD5 4b04dd0754376ad66e1401fe7100284c
SHA1 d62081df5e7796dfb05cfe75aa18805dc8fbd692
SHA256 9756327da09bdd5a31a8c0c9987650d2c0db4d1e03f29f090ef3e09e1c34086a
SHA512 df0315ed9ea19374871154a9e35bd402ecebb3756c4e5820f8b1e7a2ebe9e4d878b91b66f385d7abb8c9d4c0ab7fe51c4c50207d7868c2e515f93e6d38300e98

C:\Users\Admin\AppData\Local\Temp\ywoq.exe

MD5 d4bc846e7818939fef59f7dfb3640b59
SHA1 bb6ab4111faca52c031b8a2528f86a4412094705
SHA256 88d509366b18731c000191b0d3bbdaede8bc663a2f320f1469415b3252655a36
SHA512 c66c0a5ee3a0295a1154d8f604f13843d2b503fa409ed80a61a5b1ab2ffe87de77725a7b7f086940f40191ccc6cfa4d58e975dcaff38ba7d37dbf7eeecae80ac

C:\Users\Admin\AppData\Local\Temp\OoUS.exe

MD5 078fff09d5814ff5bece9042689462a3
SHA1 2b8b10a62665d82a8345779778310e83b4a25bc4
SHA256 7a58a90fddf15b371dbb809b0ec522e6b3072ccd81d629664ce587d46442c739
SHA512 00cc3d7c491a06de7a2dee5246f1badc717650f90397be773e4e24dcbeb9160fa96ebf26139405fbd0cca1189ba8680ee4a3ceeacab780a5928ca11857e2f497

C:\Users\Admin\AppData\Local\Temp\wIIQ.exe

MD5 c6c78da312129ee4279ffb066ebdb179
SHA1 4a16e348d4e49ef3580ed4119a032d1f3c543d69
SHA256 c55a731715ff0ff39bbd5d955425d1b007b9cac71de2a58a53b6fa3bc3b033f9
SHA512 0801cce6e706675e251f7d88ac253577aa59ae66c2c8fefd7d9be7e193b73d6233a0c0d40d7dab0005038bddea61300183c388960e49b401079d8ac8692e6ec5

C:\Users\Admin\AppData\Local\Temp\QQgI.exe

MD5 08b170797391a1750d9f2e4b0dc5459a
SHA1 60349ebe681443fe67367a136a4240ea36f8d769
SHA256 0e5c7fd36175cbc16f6952f96bc95b128a58e200359de13b5dfc755bdb8f8659
SHA512 6f6ec531e471f437218e8fba16ad96ef2c8cd11e1effa2070dd539d7ceaaf812e6ed973faa57a2a60945fb99bc75b13ac0b02b93df371483357efdcca4524c44

C:\Users\Admin\AppData\Local\Temp\GMYQ.exe

MD5 bb2869751d7077f1186806f984d3ef33
SHA1 aac8dfcf5e22b56a602522f5df623a83ad526316
SHA256 4eb04b7ac6d22765760b7e10b665106dd5e91c94c86f15f01db05cb8cb9f16f8
SHA512 8063f3b688e26ac7d4e175f7cfb63b36da5118814d49c0a9b22dfb1a5531d1968239edf92a54e64ae3b22c6322e0a780e31cd3d7bdc2a88ac4990c27bbabc3be

C:\Users\Admin\AppData\Local\Temp\iYwU.exe

MD5 f517c2585deee2e19f32a06cb434bf30
SHA1 2a10afcd9aa6d4b9aac3d4b4851524e35e4b3d7d
SHA256 772050de3de96bf7acf0b02a75abedb8fc9a4aaabbf649694c9a43f96e8be484
SHA512 cbac8ee4fc65e622e9e9c4b9a66cce8df139bb250ef8e940dc66500ed5a9d604101f7ee955a4554ce8c418a9070644018f8492171c00e409d7d5442f2d402698

C:\Users\Admin\AppData\Local\Temp\okcM.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\yEAg.exe

MD5 1b14e798376dffd15c2adcfb2764ac25
SHA1 1fe18a9ef0c537eec74fce9ef3b097b5af75490a
SHA256 295f1b46606e4249855e75c02bcfb7d086dd066aef1158260f4815e3fb17bfcf
SHA512 421afb7818e11b77f0c3fe7db877afd18ea5e840748ba13a605848d17bf95ba3cfbe88f558b04758243cb7d349b2d29b9cdeaf434649dc4739cb2889c19a14d4

C:\Users\Admin\AppData\Local\Temp\ekAu.exe

MD5 6af8a6b572138fd4ab63c6c058004802
SHA1 7a4d5009e72dd0008c939957240a9c2286e00d93
SHA256 ac10e84c5fcc3f5fc364e79e18cba9088fb1843d41202536ef9ff098dc8c565c
SHA512 640d201007ba10215343d55dd3387fb89a4423947ab1902d4d04dc1cd6e4def8491739f9086e1b943f0b7dcb44e895c9a528438d1d88b8d0620092a807017747

C:\Users\Admin\AppData\Local\Temp\ukcC.exe

MD5 ce7fe929b4ab510714ca98faab335003
SHA1 ba9a2b0da01f2007c68db30fba9d089f874abc21
SHA256 eee2febac060302f2db5a276e59da3c8fc8be0adcbb0acbc82f197a79dd0285f
SHA512 b06841f24793eb426f9c59194fe4e8e8715d4ae4379623e6405674bf9331a4720bffb16cc5486eb4bef6a98df14db17427f0d2a33bb1b06e788f34b499822ce8

C:\Users\Admin\AppData\Local\Temp\EsMc.exe

MD5 794c9558ccf3c98e5d8282f7a3d42ea9
SHA1 6035a783098f91fa1e0454f30fdd95cc9193d3c7
SHA256 db85fde2c63161b754f32a2e5cee7c9e4ddfad9877e25c3d3b973537d61e9f62
SHA512 6c80fd210929c6eb806afef41a25d88d974309000e144a2cf09aa11363fec97adaa4e292d80f85e244167cf7f34d53237b36113fa6db91f45d502435d26c57cc

C:\Users\Admin\AppData\Local\Temp\GkIG.exe

MD5 a369cb6f4d0abf13d17c1eafb2d8c714
SHA1 88671606afe80fe2417e5885c8227c97e31ceda4
SHA256 21af069d7ebf84234f24dc61febbfe7fc91c51583dedd9eec6af4626662efdb2
SHA512 ca76d0bc6f2840339163dd15561a6d2860fd146bac22b78d6221f7c8eac6587cfb8f74edbc2ce4a7519cc54b1999351b82fb1a8949034e4b2b6eba35b7607ff5

C:\Users\Admin\AppData\Local\Temp\asIu.exe

MD5 96b0fcfd7331d45b2aaf772f68b5bd3b
SHA1 647c0498c12552e06b6734112a5306f26d812bc1
SHA256 c0eecb7b5147ace98a7c8b4a881b0fdb7d62813f57d17361bff5df3dc397b4bc
SHA512 70dd9fef2dea31415da3a9a713d41044b5af8066a496d97e935912de977898ebae3f2a90ce59b701e2c37632b872acbce3526457d667b2e5d4feb4998f608358

C:\Users\Admin\AppData\Local\Temp\gwMo.exe

MD5 673b853938cd99958ff9ee2e82a7ec86
SHA1 c61c895893041caa39238945b3265dc900193f1a
SHA256 73fc61fa45f0d1144d3048b42ad5306d15a53f77242138a1d99ca05ed3150fa5
SHA512 5c4cf4460da771a16f2ea56f2e456247d0f00881bbebb3f2806b7037a5120c9a8c96035a52445a3e48f571aeb7c5daef94478b4bd1378c03c1c9e0bbac89debb

C:\Users\Admin\AppData\Local\Temp\AYQG.exe

MD5 93d98147b16510f755a5fadb41cef3ee
SHA1 34829e2d6ad5ae3bf624fb91770eed3031a4460e
SHA256 3626658ed3d873f1df213d66061f03eb05e57d89c78d5fb5146a0435d9420ea2
SHA512 a7a287a2190ed235074b981b0858ba118083d5c846f89d376ec3861469870dbdf46b4b53a48a2e961100dd8d1b8a28145334b6de6a5b0ee76a2167d6ccc84d77

C:\Users\Admin\AppData\Local\Temp\SIUy.exe

MD5 3c165a4ccb407c822272cb5ad64056f5
SHA1 e7f0aa036b118828d6f98a4a616fb310fd5627fa
SHA256 1dc9c42a18eaf7283557f0219b4bcaec8659bb52e1d980d70c33dd918c442580
SHA512 4be4c3af7690f95664f16ae36062c7cedc829e2ffbced0dfb57f6c3f3e733eb1e43cb44fc024c21ed733f11f7298d32f413e58a135f94f3e8a2bfa674b3cf0c9

C:\Users\Admin\AppData\Local\Temp\QEEm.exe

MD5 e33731399cf66f2b9b85bccb3d18f04e
SHA1 130ea07eaf52338707923da77462766c5f73f416
SHA256 88f8a2c18859f5a5f54d56f9a724d4d8f42fdfaed1b6f4c327ffe171cac45a42
SHA512 d1906e55125768c172b1a18ceced8a85b3b71960b46ecd7f5ecfa1b9cd209c09ee35f4a21363cb4fd7d0139068602b0cfe862b04a86b8eb36e4c8548d64f555b

C:\Users\Admin\AppData\Local\Temp\QggW.exe

MD5 a1e102020bcf1223fa5519e2821c444d
SHA1 61ef2491f903d3b2bdd7842422e70715218b195f
SHA256 a75b436968581f491e123c3549c2d8ad45a48c16df86295fa8c7c7989ac9df67
SHA512 ca03d57ff3a72ab8b13df993d0c728f3e5dd2db7baeeae9f2c221ade41c62222c070ca934f4a7beea0a74584daac39eebc52e93077c63116b9c26ff76a2a615e

C:\Users\Admin\AppData\Local\Temp\AAko.exe

MD5 0ab769dfb50e91433bfbcc657b40ca96
SHA1 707ad7f47360c8695192ccdb082fce8ba9a80a1c
SHA256 495931c31179aaf7f53ba79876c8fc0959e2706f7b7142ae3989424eb8a42524
SHA512 4af8ba444c8a1d8c1e602d3a02b8bcdf3b2430a3930934264dc97e7963d73139038fb08ba929324b2b42e02dc0e9a7538b7a859e0ccdb2386c5fadb553ec53f0

C:\Users\Admin\AppData\Local\Temp\Uoky.exe

MD5 39afa8231719963b6266f1e845e4422e
SHA1 c37cc3c815d01b93e4ddbd479252f51c20329984
SHA256 a26c8813a25a01b8146b860cce634654ce59cd2b9a683eed26d556845a251043
SHA512 7b2cfe095437c2c17be642d149b758de537ac2ab07014fe8fe41ff404cdfe5f773f4f5ee66e80b554a5dee6a6fce1ed449cefbcb26f974ddb388887ad369a112

memory/4176-1251-0x0000000000400000-0x000000000046E000-memory.dmp