Malware Analysis Report

2025-03-15 08:25

Sample ID 241020-xv5cgsvglb
Target 17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7
SHA256 17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

Threat Level: Known bad

The file 17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Renames multiple (61) files with added filename extension

Renames multiple (52) files with added filename extension

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 19:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 19:11

Reported

2024-10-20 19:14

Platform

win7-20240903-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (61) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\rioQAwkU\aGgkEEoA.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\QwwoYYgo\GMEMUEUM.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dAMUQcsM.exe = "C:\\ProgramData\\lSMwYgYo\\dAMUQcsM.exe" C:\ProgramData\QwwoYYgo\GMEMUEUM.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\aGgkEEoA.exe = "C:\\Users\\Admin\\rioQAwkU\\aGgkEEoA.exe" C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dAMUQcsM.exe = "C:\\ProgramData\\lSMwYgYo\\dAMUQcsM.exe" C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\aGgkEEoA.exe = "C:\\Users\\Admin\\rioQAwkU\\aGgkEEoA.exe" C:\Users\Admin\rioQAwkU\aGgkEEoA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dAMUQcsM.exe = "C:\\ProgramData\\lSMwYgYo\\dAMUQcsM.exe" C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\rioQAwkU\aGgkEEoA C:\ProgramData\QwwoYYgo\GMEMUEUM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\rioQAwkU C:\ProgramData\QwwoYYgo\GMEMUEUM.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A
N/A N/A C:\ProgramData\lSMwYgYo\dAMUQcsM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Users\Admin\rioQAwkU\aGgkEEoA.exe
PID 3024 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Users\Admin\rioQAwkU\aGgkEEoA.exe
PID 3024 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Users\Admin\rioQAwkU\aGgkEEoA.exe
PID 3024 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Users\Admin\rioQAwkU\aGgkEEoA.exe
PID 3024 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\ProgramData\lSMwYgYo\dAMUQcsM.exe
PID 3024 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\ProgramData\lSMwYgYo\dAMUQcsM.exe
PID 3024 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\ProgramData\lSMwYgYo\dAMUQcsM.exe
PID 3024 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\ProgramData\lSMwYgYo\dAMUQcsM.exe
PID 3024 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 2716 wrote to memory of 292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 2716 wrote to memory of 292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 2716 wrote to memory of 292 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 3024 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 292 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 1792 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 1792 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 1792 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 292 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 292 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 292 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 292 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 292 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 292 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 292 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 292 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 292 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 292 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 292 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 292 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 292 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 780 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 780 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 780 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2856 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 1512 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 1512 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 1512 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

Processes

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

"C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe"

C:\Users\Admin\rioQAwkU\aGgkEEoA.exe

"C:\Users\Admin\rioQAwkU\aGgkEEoA.exe"

C:\ProgramData\lSMwYgYo\dAMUQcsM.exe

"C:\ProgramData\lSMwYgYo\dAMUQcsM.exe"

C:\ProgramData\QwwoYYgo\GMEMUEUM.exe

C:\ProgramData\QwwoYYgo\GMEMUEUM.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CegkQAMU.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gsAkEwEE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oqYwYEMA.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JUooQEsk.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pakwcUkA.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TCQosUIE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bUokMcMo.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KeAYsMkk.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IuwIEAUU.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UIIYQosE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JkUoksgo.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DssgwAUs.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hakYwQEw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-785080411359387590-16401205094999605891885353421-672949450312212131053147159"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vsMAMkUA.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PYwEocoA.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1130275439-1856888359-1547350166-1718578618-580851881-1453349412312186494-1259283390"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CEQwUccI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qgkoIggk.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wAwQUIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fAQkkIkI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NKIEsEsg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tWYkckwY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EGIEQcEw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SCUgssMI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\owgAgUgE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XcUkEMEE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NCMUkocc.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DoQoYgIw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oCYEcoMw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\USgMsEMI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sssoAsgg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\caMcIMYw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lCQccwAA.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jCEUIoww.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "17036900701744755903440253796-1988412273-1758442431552721434121465649651560692"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iaEEEIgA.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aUAYogUo.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xgAAQwYE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hoIQoQAY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-688435106-15991413881859583284-1266191064512547131-1168925428-882246132-950840844"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1299367351-17525762671561777753-193978848-1943906050-16723503918902913831608760877"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\neIYYQMI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-110591569803295468-8149814616920846971079700462132511707-387853077927253452"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IakUAoAs.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "732129482-1251021325-434788088-1583236389-883934562313243996643505381440286682"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BqMYccAI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1511112247927322501446479402915487878-1718943718-9085940457738500941333796489"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIUUMoEo.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2117612996954703923-1788005852894329783-19642472811443069211-18775674-1930706554"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cQcoYoMg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "20274170751734871159711314150-250847887-17837354371702407060-508678751-481029153"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2064038077793575363298926964-2269590321654642134-2610467692112883139-1801101387"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yuwocAYw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QOEUEAos.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2074466885-209303810716236724253140753315186152717008040351890534418-2136047984"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PIQkIoIs.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1873248473-79268704626351887116709526861988488662-17241654641826527393-1404761082"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\beYAkQIg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1507619870439155893474748191-1560740188-12587270248727568151443399302598762474"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1776638418980735203-1006738744-118983291918976118201508300080515811775-1045624017"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Veggkcss.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-9979025189210572031680183711-14882176781173067191-145987742-1584040523-699026541"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\asIgIMoM.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-137746830764488429555805673645899410520868317771831465206-1228046024-1735897542"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "202901651-1597458321-986483718-200836939-1624535899-9986597916611666051743489237"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IQoQkgoA.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "432420210-2010445326-12395581531035585552-18832668921186061840411269131299509030"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kUsAwwkk.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-149123363723199034197384320420469621381994948336-1775933983-1944180363-226567501"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-377434498-11939985369340947711671572871103259463417613019401106497578-700761134"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "11408134491241498742-784029998-938857116-1442762520-1632039499466782077-432979296"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cUEUIoMw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2133755354955961156-967668041127969272-516330676-16803220691329372201071896289"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-469690914-161979351-15559054271572712809-2602912871132541164-13904062646191222"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vCUwQosg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "322438252-1365355566-818016231-1546894917-1035682088-36723580414379278191036371624"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1616764757-2147147535-142292656-1142005381-165465265419645283011014816980-1783673463"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NcsMwwEc.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "781770864-19545228531677177675128544089839611303-88311502673675783-495797181"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1576844900261128057195284638812475107591117715794-1525227645-1125621988-664989673"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XAsUswAo.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20599770051585881626187125340410730705381084157564688888433-2272199341526179422"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "569334278-58896091663465493718819232712069266663854213021-1957427469-319870854"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1332862816-84276921-84734398716275474-13573695631036569170942415964-1738566022"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iYUQkUso.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "189314144420488542981869548715-22821901211094566971615980654-135187005992354608"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "395588783-1484196202336751479950269378-16975004348802936541310361149-1229856705"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp

Files

memory/3024-0-0x0000000000401000-0x0000000000540000-memory.dmp

\Users\Admin\rioQAwkU\aGgkEEoA.exe

MD5 042ed5c676797026d56a06524b3f78b6
SHA1 de77e51827d6def9775702b5a24aece6424050bf
SHA256 e32248599fc0d57103e6cbc1535f14b05777fed6103a5eb7df30f9f3162c97c4
SHA512 bb5dcbf02dc0239947430b621ec032d97cd7325b302830b78b8288b8c86672de90f05d3cdacb9486da93818298ad73029617db68eab549b3594985dbbf0416f0

memory/2392-10-0x0000000000400000-0x000000000046F000-memory.dmp

\ProgramData\lSMwYgYo\dAMUQcsM.exe

MD5 489a14b99df151c304ac39dddb7bafd9
SHA1 7a36fcce43c9993d83eed0e288ab17eff7f3e5f5
SHA256 d0fedc39c032d2ad811a3fcfc3d828f0b88fd8d57887f4b953844d7cfc9bf086
SHA512 79c8b21af4d3d3b350a9703fdfdc309278bccea0064f68ffefde0d0318572a1ecc2f52cdb9271c4f44aebf33649e1b6c71b048195330408480954dd6da89a19d

C:\ProgramData\QwwoYYgo\GMEMUEUM.exe

MD5 08386135423c18f6a40e33a1fe8ea19d
SHA1 b21ef8e0862003b0e06edf11d7228ca78ae76fe4
SHA256 14c499451ec086eaef3f0d780ead9f4c1a1f2b991f57aabc753f4929c9607bdf
SHA512 c30b655403159deaaff5649e059a9eb771538947b8d776b656782ba4650ce34a316cd0c646ff2860464c4e8a3eabdf372a1319b3569b4bb51c6ce539826cf5f6

C:\Users\Admin\AppData\Local\Temp\dcoMsoIo.bat

MD5 059a86aa7a9b741e76f9fcc385562474
SHA1 3371f3f9a2a8eabef7f23e31153af09d4246679e
SHA256 77d3358c3774e3730308f4b1a3d3c03159f8c346c139e1c22a24e37e831b2070
SHA512 3edd4c0b040d2d17ece7771f03bc44b4d8356d133444297fcf3bd1c3e60106cfa19b715e3c80939064185bdc4339abf42c008edef1f01072002e4e023c82a09f

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

MD5 076e3caed758a1c18c91a0e9cae3368f
SHA1 f5f8ad26819a471318d24631fa5055036712a87e
SHA256 954f7d96502b5c5fe2e98a5045bca7f5e9ba11e3dbf92a5c0214a6aa4c7f2208
SHA512 7b8b9adf2dc67871b06fb9094bcd81e8834643cd9af96a0af591c2978bbe2fb7f53ff9b54ae09099aed97db727cd42df4ef02662ef4c6d7cf8023561ddccc7f2

C:\Users\Admin\AppData\Local\Temp\IAEYgQso.bat

MD5 5c6438e1dd331b1fbc73f8e13a363e98
SHA1 04466b15f7da79c3b1f1699a115992594cec11c3
SHA256 74dea1059efc1bb1088cd6317c6bf45854c629ab6b37d9f62b724478b0a8497a
SHA512 55c7389124bb24d30896b9d933bb9f46b1be480c21a462d57ed9d46b02cd0acde421f91435c26ef3af9d120064402f348d6ff441b4c6b5ce693f199e0a937b62

C:\Users\Admin\AppData\Local\Temp\CegkQAMU.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\eSYEkokw.bat

MD5 5d6056dcd09290790a16d06226caf7f1
SHA1 d67c6b4017f26c33c1c1474b3e19a799205d3f83
SHA256 f9e4b169aae3ab417c27a8340a27f210c658c5c3344c27caf7e11266100eae46
SHA512 96617737de9bf21de99db5392c8ebc7726bf42b6da9cfb0bc21dfbe594ada0ef4f40ccadf56b86ab8a651b582ddc2472515de85637e1e440f731ac5e1e4da881

C:\Users\Admin\AppData\Local\Temp\yOYIMEQk.bat

MD5 cf8ba703e78fe79f46e96f02a6f8cdb7
SHA1 f350e3d72296ba5210c1685d3524eb4711b943dc
SHA256 47cb4efca62ec7c6f6cdcca0754c6ff40fd46bf13f315310a031b2b5f4c12abe
SHA512 65d1ebcf216609776763f3af452286dab06b8b50068de40954e17dfd3bce0984ec691267ab24c5661389594fe174d43d647a09f461db84da42f0b546c387bb21

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\zMYkokMg.bat

MD5 50de9b461c79846d401bc00fa480259c
SHA1 1f5f9b4229f48fc4f721d7da9af75405474a009a
SHA256 ffd9e37e2ea0823481c2ad81a53d6e87f5fac304384a1b79f8d67b9ecb1c9dc7
SHA512 c945c94707d12358964ef9d2314454bc2e0f9fd4be773b76bb98bed7e25c0aa57bc30e59a7b2619ec44d808e4b24da1392883a5acb813d0815b35b8c8487e891

C:\Users\Admin\AppData\Local\Temp\PSEoUsMA.bat

MD5 ee417076a61db6cbf50736d884c64481
SHA1 fee6bfc1203092f26b62b3f0fd9122afe70612ed
SHA256 92a6cc08a672d02c8b6535374694c04d54cb8d76c1ba7ded9cacd5710790c935
SHA512 0b3324df86310dac62fe4e0b8f3ca7ceec72a5d41ed0f83c610f0dc43d9c6deafc315d80eff8fec134f6e096c30365a6f417497c5b02ca2a625238d746335923

C:\Users\Admin\AppData\Local\Temp\LEscoowk.bat

MD5 69f6b35bf3076a58846cd201aba9521e
SHA1 ba58827678de7c00bc9dbdd83e5ab22d900d5bab
SHA256 c3d731594c7047792d230e98c9fcd8a0ca2deb95f786542d0fc19416d961f741
SHA512 9d5995f6f16749a393a6dfa9be1d31b5955bb8fe97d0d9d4cabcede6dec02714bfb4c173eaf9658368538b29e2b26f64757b98c0256d3470fb4e3aaf4cd17532

C:\Users\Admin\AppData\Local\Temp\tMsYgEsE.bat

MD5 986dc9addb6a1006b5a3a2879e916c71
SHA1 09ef7dd831aeb3b83a8d1c32ab5fefe64d04518b
SHA256 3756c0d5db536f5d15c1fbc164a90cd942a37eb066a9c8a5f5fe39a526292edf
SHA512 4b8af7e861860d974e056de83ea2337cd687d2a7f9267180ec42197c957edec6d428b8838dbd4c480995724d5430b1f4130e87c4eb0264eace984ed0cb98cdbf

C:\Users\Admin\AppData\Local\Temp\kAIsEUAk.bat

MD5 d479e378ae073137bdb97102d0d32b03
SHA1 94b435226fe384a43789269c2c32368bab42fc97
SHA256 094ed0ebd0365d7f095002638808c5aa3d499e34add3ea8770c29a34777bfd10
SHA512 4864bc9d02125f8a761517729b0848f1a81b2162f4a8834f861fa636a9d598dbb14ec1aec1f81a8931a8ef0e02b1d2984a757021b920c7b28a338b2e6d8e2da8

C:\Users\Admin\AppData\Local\Temp\cskkkoEY.bat

MD5 7e4d806d9c0b69c2219274f9f18d7394
SHA1 b51e6150b787a71a2d9f017c460240d6af118102
SHA256 f23ae0f1935bab5e0f9379e0e4314caece2dccd3935557995799368e47a26e70
SHA512 cf454ddf42a06f9a7e4eb3bded80d156a410cc1eabd056b2dbfd8c7419ced25818974a069064f05ce13c1f66b994edcb54252763195b73943e9178ad57df16b8

C:\Users\Admin\AppData\Local\Temp\uQkIsUoQ.bat

MD5 b3a231881204aa0ab3aca5705efbe8d5
SHA1 8957ad0fc3f32a038626dcf74795857fbbe4dd28
SHA256 51e15259cf4bf876c608917e90bc3c910c9cf1d40d9083f1fd61949c263bc297
SHA512 27811b06a9f1fb88075be48fa986e6bd747dfb10933994e4cfe00ab011c3b3fe944f565941e1f2f707f434a144a3d527efe7f8d2562afc2b8f0f8f7213e9b6ed

C:\Users\Admin\AppData\Local\Temp\wiAcscgE.bat

MD5 970a08beeabe236afdb0dc7fa1844fc0
SHA1 4d29455b6863144fa9fd1f773d081aa6ca4917c5
SHA256 7aab6e5f697d94977b7d30f87ed2e2c855fb4c5bcead4d9ff9fd16e19756288f
SHA512 db21e754ab06ed20c35133accc5e385e102899a580deb20097bd1e6da2ffe5d37ac66de49162a997e4712e3342d1eccd3a3a686aee1a22cdee4ac4ff1960a51d

C:\Users\Admin\AppData\Local\Temp\PgQUAwgY.bat

MD5 87e79716c2fe5a8726c6f96bc61797e3
SHA1 a2a005a7fc72281ca6d0af92611f14231e70dd37
SHA256 5689ce28f21c6dc7c839c73c83867567d0955db1a0518c589beeae2c94e084dc
SHA512 798e27183e06a0d2090080327bb9dd7b171bb4c0c52697d70ee249a359f4f84d8092bf1757b77f9ae36188349420ef5268bc6ee483de7ac2630c23bd0b41e4e3

C:\Users\Admin\AppData\Local\Temp\NyoogkkA.bat

MD5 12aeaa13e11f19a5d7778f66626abdc2
SHA1 0dcdf645da2d1258bbb72bb234198497396f8e1e
SHA256 fb201133c76abe2e71b20ca960bfb5fa99af7f8a675cd82a648d053bba7e80b5
SHA512 12c10723a6cf1274699fa2bb27bdb1ae7b7b255bcbf5960bcc965550ab28f70e113aa453c93f229e4979802ab7e3630f979df1a01fa3a748f8a4b6632127f23a

C:\Users\Admin\AppData\Local\Temp\RIsUMsIc.bat

MD5 b39fe0e9383fa7b2239f257c85f8b63d
SHA1 e5a192286303c7fcb1a164d4cf7efd384d2673ed
SHA256 fb7642bdb876b75252397e8a1271fca8bf5cc6dda67ec7d385d6ddeaad527b82
SHA512 6fd9dce6f24e999563b4d9cb4dcdb077ad9aa1aab86e8fc8ac13921052f87cedec9a221be4d008ff5b90bf82a7b1d62b5740088b6e6773d04f75d311441e5138

memory/3024-311-0x0000000000401000-0x0000000000540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sUEkIwYc.bat

MD5 855ca5e4b9feee47527ba798f143cdd5
SHA1 025a9bf3fc405bc589410479ed80339ec4bb9ae5
SHA256 83cb6d603dbc92c5bb9aed412921d82658c2be58e888739248138cb938844da1
SHA512 b07ad543ea9f65eb664dac4f1d1a1b8a0e6c6e651decfdc5b81f09f0592a6b26d5290d5907821d6a4c0833737cda5e4cd9d18f9c87d4fe89b045fc8206c700ed

C:\Users\Admin\AppData\Local\Temp\KcckMMAg.bat

MD5 778e9bd5337f77cf3be7606cdb47334b
SHA1 9e0de43db09e0d5b264390e4f06d373c4e80869d
SHA256 9bfca46aa65d2c41e1bb929c8eca9e87478c2be0317bbea549a4b50275f8e4fe
SHA512 2969203e99745fe30fd1ecd7f0d609e9c2bc11488b0785d821d527fa6714b721a2151a0ded4e2a77e7d6f233c4533bf7029151b1f75ca47313bad2334e5ce6f7

C:\Users\Admin\AppData\Local\Temp\AuAwIIsw.bat

MD5 3dbb13e78f0856f80dfe7ba3a336db19
SHA1 1d7b09a32a7ba5a2030671caa5bde3040234cdb6
SHA256 67d43b472f26ac8e92927d39ed1b723b1f8a3fe000138596be49fc1f69a47b44
SHA512 f9fb5d7d231aa3fafbead1b0750d0febd1e01fdc0fcabd82d75c2d95f2eb1d87e546b5d5044f2bbe54e1be8848242ec509f080b6dbd48ed02371c18e86f559c5

C:\Users\Admin\AppData\Local\Temp\HoIwAUMQ.bat

MD5 06aea03feaa955e29f557e69604b2e4a
SHA1 01e33ed9f681326e2bacee25d85dce636e11f2bd
SHA256 b4d4b6472ff015f8cf1a7a1d09c8bf86fed019cf25deeefc82cdee1673d04f92
SHA512 1bc7fd5b23a4aed2d48ac39f3c59c4ba3d9ed45a755185b5188bc349d3464d6a94f54f3778ae6cb4a064e536e7a3af7b3e68e4ed1c4ae3ce1b590365d953d825

C:\Users\Admin\AppData\Local\Temp\ncQoQskE.bat

MD5 65289d0cbd7bb368dadca3a74f03c396
SHA1 a8121f60e5c42accd942e52e3750e23a3f740570
SHA256 1d79c9b74a397f25d20e50320607122459aaa2e2ea1af9b02fdcde597ca3d5cc
SHA512 89749ede1816b395609c98d4275d1d94084fe0a7a33e0d462437c51cd4de6131658d709849bb31b3d9114673331d23b4d1e934c17125666289834e49cadefc9c

C:\Users\Admin\AppData\Local\Temp\NKkAYgEI.bat

MD5 2622cda389b908145a3417c1e3557130
SHA1 d90e69228846374de221c830c11ac442fbf29caa
SHA256 868b245c40e734cbca61baadeccfc63aebec363c79580297e665e0273db40b31
SHA512 07af7026cd0a10d5c4894ebf7dbd1c38160e2d235406aeb1cbd171fc0dc7bf8f3a4f4403797ac36414ef924654195cea8dee1c8f75efadbbae45ea6d3f5b878b

C:\Users\Admin\AppData\Local\Temp\JeAMoYUw.bat

MD5 537e3f297740a4347ae06bf515e7396d
SHA1 9773a45857d32a059b51474e58467e45fd1755c8
SHA256 40fc3d9559fa46184656bb6146f7c4891077d7737a47911eb9724149e30781f6
SHA512 64e61b98bff6fc6eb09402057a1fee1483522b092c57344df5c0be1423815e91732254cc4fcf4defd4c246949bcb2e38b5a2063f2ed96ef992fa7ccf4d1a10ed

C:\Users\Admin\AppData\Local\Temp\kawgQUEY.bat

MD5 ff290d17f128f3345c516df98c9c4cdc
SHA1 6a97c124fdda59d681a814dfac65de63082c302a
SHA256 834db824b412e4e9f661b61ef332275801332fcf64c036fd31570986f090fd06
SHA512 99cfb1586ab78e367041834b22a32c5c564ba8d61bf999d6de0993c653564814d0a9308c6271baf71e825f940db6c381f63c1047bc457e893595c2b09e69890d

C:\Users\Admin\AppData\Local\Temp\QSEoEosU.bat

MD5 25a430b8419c9fc1d683dbb8e37450a2
SHA1 15ba4bf3645c6b4c999336011c35affbdbe5cf59
SHA256 e59eb7e19d136c16964bb980678e14338557fc2a844be9366afb8a1dc20f37ba
SHA512 04d5813f48d8144df5c5fb5b179394d2efcdf594b5420d59aa954904a1d9846a5b4c7795af8ae839f9ec67c19afb924a6f81de9c192305ad648c274a610dae40

C:\Users\Admin\AppData\Local\Temp\gkQcgYkU.bat

MD5 6f1316cba4614ed5f1a25f4bb97b8e36
SHA1 a25eb7984153810d3a136f1d09bb2f13a98112f7
SHA256 2e3336e5b2040cf990d4a3dc52a08ac7af482f9f36b68eb2aad05b92ba001bbe
SHA512 e2f173a4926ae2f899bd47599cba0fd117cdb1b8e0a13446469e6fce0a27d0b6494cfc2fe81d114b816c2e249e1dc9ce97bf9dfd292d7cd6f29fd8482ce92317

C:\Users\Admin\AppData\Local\Temp\jCUookYE.bat

MD5 0fe12647aceeb38813489654374db3a2
SHA1 8302d4fc9fc02a58b6278bfd34243b1169226e30
SHA256 c31894efbde7337c322afb8835e539a0fe491ba1c524661581dc8e13f289b0df
SHA512 03084f212cfd6157d043ce6701b4457c8f8790822da54142d5c15e3115b3b2388aad5d8da6c4365f07d268eec87f541ca2661623aed1b35b2bac62f8121e6b73

C:\Users\Admin\AppData\Local\Temp\zKMUAMgU.bat

MD5 340ad7687b8de084347f12dc03a8888e
SHA1 390609beb49bf09e828c784405a96c11c5a28c3b
SHA256 dd99eb230193451b0367aaf4668d84756ca0478d1f32e613e4d25c568ae9bc4f
SHA512 c2a79b0cc0b212c20b7f6613018e3eeeb9ccba6b48ca15f3d6efd67fed7bb6773847dc5aa23e388890a3f5b712bdec1195dfcea44a1f63b8086a16ce2459ad6e

C:\Users\Admin\AppData\Local\Temp\agIQ.exe

MD5 b805d7e39cee124f298c727dab856187
SHA1 e0dad6e258b81e583261af86bc04c34c474cff75
SHA256 3718ab56c410c1ac17b0a67bdc1e83cc2394c519cbd500e73ca7209fa7ed5afd
SHA512 6b2dc66894244dd75f25466816d4353b781abfd74090de201f3259716e09efb1c7c0fa20f53f3af7f51a2dc0f2dca1e4b7d2b3ddfb5c8a189a4c4968ea3ce312

C:\Users\Admin\AppData\Local\Temp\RUkgwIEU.bat

MD5 724e4deec011b7bd044c0d6ac70093aa
SHA1 c8d5c9843d57d8cf22ac46ff7d0970bcb2a4ddc8
SHA256 a5f52c13e2b318f76676b345912a2773981909cebfbb038b625ddb2dd9f6c46a
SHA512 bbf82b404bb4b13336d9672b81ed4e694a2ed510755e7e8d17e74f9fc31697dbfb332b03fcd7f6f9aeb9d5a03fa9d5c862f9344b20d7810b34235767606c6967

C:\Users\Admin\AppData\Local\Temp\YMMk.exe

MD5 c9ae7d4fa131338f12987717a9f13843
SHA1 66ae9e13c5294cc7d1d296296da37401a3b1fd8e
SHA256 fcae68ae8ab555b4c3f7fe63a5816ac2907ab6c555181278f155fefee465f133
SHA512 329d0dfb5529cb9fa3085b2061a00f2bacbed3bb9ed791723dd918b23ee5263dfa8a54a1b91356b422fd8be65812d7e6a53efb9883f8dac4c53d2ed526b511e6

C:\Users\Admin\AppData\Local\Temp\UgwU.exe

MD5 b03fcbf9f51d22c80e5129d074e53950
SHA1 ef6e8baa445c4eab6453648c879afc4a793445eb
SHA256 d8f74956fa9772adde8d008c732161797c98042978b67107a46e1bfc4cd018a0
SHA512 998f8fd13ce977c25da27ebf7037f0cf4cece351702f434e9cc4f3fff6ca813a6a6186af66b237307a823dd48d09b1583861981dc66d63f2a1166b93640c1f15

C:\Users\Admin\AppData\Local\Temp\goQM.exe

MD5 4b428b24b80e6b95a4111d865c65d21c
SHA1 e1ca2f351d1812f49ac6b979e75bb80e043a80d1
SHA256 5ef8aa983ba8013df6e4ef68aeafffaa6e01fba8b632733c573fda42fcedc825
SHA512 68532b31e4aeb2385fbf3e069e400e3bf1f28a2aff1e1f4449a39c5ff988b45da6a0b2f3bf2e1a36345cb49541bdca6195f9bf515bb12fef61e05bac9b214af5

C:\Users\Admin\AppData\Local\Temp\YMYc.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\qMAK.exe

MD5 6ef181c2fc50340d52503bec0c5bd7c3
SHA1 2651c0bccdf2bea29ed7ad2b3ecf02ce58c997fc
SHA256 38d698b7c255e3b06bc2fefef4885cce2209356533014cd451556e03b0a74e16
SHA512 7fed7bcbb66cee583f9632ff10999c3ccea633785b6432f1a044ab92ff8bc3f9e3d2ea5fee8fc81cb6f3b25d7373e998175154e0de135aba766db1d79a4768f5

C:\Users\Admin\AppData\Local\Temp\IkQo.exe

MD5 bec2ee12becacfa9221a1e7fc0efcdd0
SHA1 ea207b29e63f37971dc2d2ebc6cab451af431f4f
SHA256 731c38eb8c482c4dc544ea13f235cdda5b80b73b577d605a050396b7693ea58b
SHA512 941d16d3f15f0db043bd3beb20af363eef07bb9508dae9ca5af9bcc4e9ea17bfc99dc30255c8f227175e3a97eaa984b755a16bb8efb70df1b7a35a6bf64d9edf

C:\Users\Admin\AppData\Local\Temp\YuQsocMY.bat

MD5 a182d1d8063e57b3f552a3ef18dcfe6e
SHA1 2c36f5761b6bc2215ec1d11d7afd9daacb4c1b26
SHA256 bc0fefa17d57e090c8e12d4349f36b1eafaa6d512e09dca28a2e710553d90c79
SHA512 e2c8f5ca3fa8821710726036aac73d1b849413907de14f737855a342b9aaf07ed5a2a32584c8baadb842266dd0eaa11ac0c194379a4e4065be426c8afb1ae369

C:\Users\Admin\AppData\Local\Temp\mAQi.exe

MD5 e0f2f32fae56ab08dee9149683e7ad2c
SHA1 b4fbaa2dcc6cc0e271dfc6641e1c3a96e7807f80
SHA256 e657d80fc4195d2942f458c77a146e74bc168514422c4472b0a4ec5567b0f63c
SHA512 b5e8d07528bbc7c6762acc251f7ac243b11972ab36aa57c4014ca6efcc2b5f15703f2c3c9606fa2f9dfa59d911ada783c9c58db8a4a66a2d72a9d5a3eba7b6fc

C:\Users\Admin\AppData\Local\Temp\OEka.exe

MD5 4727a18615ff038d918d53926a4b39b6
SHA1 087e3c515181b796017e535478d7fa1cd5f3ba2e
SHA256 f5e4c9b022951e8d4394533bf4f7332c86c6671f4583ca3b053353b3c322472f
SHA512 40fc2885d42ac066d0e7c5f9e661dc211af3a21ea0ecac0a7894a5349563a1f49ffa140e60d8de17456936c163fa983b96d1788ca201522a77c15699dd09fc37

C:\Users\Admin\AppData\Local\Temp\AUMA.exe

MD5 14b04f4885809b82af29a4d81d4e25c0
SHA1 18603547aaa0fe5b1204246e14d2d05d27e2f55f
SHA256 ded5ae32aefe4e3e7110d82054144dd0a2e8bc8d805132d78af4dd0140ae2b36
SHA512 27199398ab593866f02a7f04ef98ddebfd4d323fcd52059ee9011a3dd495693102dea92033007131c142a7b7e77cd6e345a7f6bc515e23790797d8d561c5e9d4

C:\Users\Admin\AppData\Local\Temp\YQIu.exe

MD5 188505f418f5db8fac85976b6cbbd073
SHA1 6af101e5d7b57bb9dd7ea0aca47737435633f98f
SHA256 273bf090147f803f82606fd7fcf65a5cefdcab2bed43132a920917879f3cdac8
SHA512 a21aabf1a99462a6c97a9b74b91cd8f6d26138bc784eb4edaaaad3a161b7c6928c9088a8df994a1550ca3aca534b11380919b7e65ddf4cc42b6171760d54d7d4

C:\Users\Admin\AppData\Local\Temp\cYYC.exe

MD5 8e9b142d273446534d6da0890fb04319
SHA1 60a6028e73947cd232304a3cad8b17e672270060
SHA256 221fb54b72531b66bc75674c5d8e716226f0a63b42dfbccea2a5374161032813
SHA512 b6fb7bf9e1c8fbfabaf018d0dcce8a3a3e024aec60aa1afbbd5948d244b40821f962e390beaaa0abe050e7758d34eb9c5e4206093312989b35067f78df5bd927

C:\Users\Admin\AppData\Local\Temp\soAW.exe

MD5 bf56ad0a5f218e65686527ff3d6f175f
SHA1 0275127ff4e3756d5d5a92a9950714ba30742d61
SHA256 eb854ce558b37aceac1d9f094cfc04c55f9fcd9c161a3055ee87858e66e0f426
SHA512 9e03fb40238d0a9f74ae41398d9f9e714b0ff0bc29b37ac72ae9900082d11fc782049374266fc3339e97af00afd043c6823b69d43a29f13f2312eee489236628

C:\Users\Admin\AppData\Local\Temp\WksA.exe

MD5 ab11df7425aaf297d7d6e84eb57cd8af
SHA1 0478d19ae788b79397c8520087afd83bbfd18023
SHA256 c2a13b061ed9c3fab0a3004d81a6d5af22134baad323499df94a97b9ac0c4869
SHA512 e2119da1be59deef4fcd665ef6c8e034755144747169e3b1ecbb9a8f4c8afc1050ed952240a7a9669cdafc8bd9b5f7d8383eea0869ee070c9a078a929f6f194e

C:\Users\Admin\AppData\Local\Temp\OIEK.exe

MD5 77ec4e05988ed66d53d6dd0a87d4029e
SHA1 5b14b027070c735989ed7557d51c8025dd460534
SHA256 ebbd05251effa6c45588a5f5478146608ab5684f1ac3b8a060edf03a9db8ba5f
SHA512 8d9e51dc5331b2238d739cc5910ff8434e51ffec4a839e72ad761c5f6c368e6a08759f140556691eb81d11b8e74c42bf1cf5c48cd1619ff81b7cc5945114bccd

C:\Users\Admin\AppData\Local\Temp\cqIIcYEo.bat

MD5 bf53125c0e741e86cdaed65797e70840
SHA1 f28812fd64dc883cba825bfd4c523f3c6a5042fc
SHA256 079184432efef71aa8e4f19ada49f628b7e6b1cca6540d530d5980fcf33a7059
SHA512 bf790766e610cf17c3433afdda351108118b13e73024ff98a35ccbe28930ad4cad13f9827b340bd2b4846c96ca1f79d05c03e8b0489a7b0193a4f023c3b9827f

C:\Users\Admin\AppData\Local\Temp\oUgq.exe

MD5 b89f19aae63457195f15bf3c5d033792
SHA1 d6456c01c04bec4fd4b2d04de3c7919d2397cac8
SHA256 8f391869555c6aa5cfb48bebff727271a578fe971a4377ab33dabd4a68c9fcf0
SHA512 079573245d47bc5f8b63ccf8a10cec1ea127f2833c5257c9e4a571512aa3114f2088fe7fa78a7ec924945f0d3696a884782fda03e2e8a87700c5f93be01a1021

C:\Users\Admin\AppData\Local\Temp\cAgq.exe

MD5 e0012ffe2a4ffc085281ab8fc9c41056
SHA1 388079a3d43fa3e0d57eed681df59c68964b6ff3
SHA256 1b6b54f4879688b5ab83d725c1cf151335f9c3943fa53a366047590b7c111602
SHA512 7360874a23803793a51e8adb15d9caae01f12defe8cc73699ba2ef420177c3ecc776567eac4ad25bf00f789438177ac71196962f1ae9e1336efcfeff869c56b5

C:\Users\Admin\AppData\Local\Temp\wkoK.exe

MD5 f10a05bd7827f4460ac9d1b2bbd9d5bd
SHA1 5be72bd0f56dbdde116cc25cff3fd4930c59ea70
SHA256 399d7c21d4baf1196a79cb0656c2e80e99ec24101b757c0d13c2d59b56b05fe2
SHA512 a21a48535eaf5b10794b47e04603a7976f92a8d7c3f719391aea501d12bec9f96baed2490d3415b9a62c55b0a9dba1ce43c0f161a48e61b0f83d322a66be0e02

C:\Users\Admin\AppData\Local\Temp\iwAs.exe

MD5 5f7f89582acde5d96b58a337900c5c6c
SHA1 21e50c041108638c9a02b9aa5775c42a789fe921
SHA256 970178c38976bf93f95d690160e284d8106cbb434c2605bf3b78b3d2731f9133
SHA512 28a93b5620bb4082d4bf4d7591477fb6aca114be042c59979ab20a44c1cd9e9dacd6ff39334b11d893abce57e84fbe90bbac120cee23f006625f64bfd64ea60f

C:\Users\Admin\AppData\Local\Temp\KkgA.exe

MD5 b1f63e14ebff10ea890833c4d225cff9
SHA1 53550eebeb9b8ef011a451a7a655e474edc5bce3
SHA256 1228d00e50ae36fd78e4fc4de1735ef67c0d6e1ade6424c3942a250ea23d8915
SHA512 143250bd9b3428a7240cafe428d07d6de32a7e90332d80de60acee3097a670d326b6548e82c64d29cc637712e7d4f3576fb2fcc58c09e71554c51c7dd9331f80

C:\Users\Admin\AppData\Local\Temp\GsAw.exe

MD5 2decb4df2b770506abe1c6b3c878a8af
SHA1 723b3b57b16a1031518eb9a7f1766ec962c33e2f
SHA256 b7a8f1511638e36744ccd86528eb335c3307db51bb452e6b6067a86f4d1374e4
SHA512 46899956452efd4b244bc5ec5d9505bd692568fde8df7460f2eb9ef5fdc27682c39368426e61e00a5d3ac0c77f68fb2da49b8a1c72dd612a2206df86a5b7376d

C:\Users\Admin\AppData\Local\Temp\qUMw.exe

MD5 df161b6bc6482859e31dc9cd2b77935f
SHA1 02b9723a088d01c99e3ebb56c59460f8c4d0d42e
SHA256 b1664791d1a40fd0053b351e834b3e7e34ed9b04554e07817b6d3ed0ac08ea17
SHA512 88a43dc88b1514744c40533acf7a54e8812d31d68febcf7794d51c10cc8aeece3d38e166b5dc04d5b583e70a858c42f68ea67483e52917eab0ed7c6d9e662f28

C:\Users\Admin\AppData\Local\Temp\iWcIUUcs.bat

MD5 9fe422a3f904bf0918e4f0708ee1c500
SHA1 aea8af8ba3726a2e44a231fcb217467bcb84e6e5
SHA256 461f91633d9fa2737009701f993488d79f4c11f71337cd2622ccaea8508a9c6c
SHA512 1613a99ac95c196cc606380c6171b0a7dfd28da97fcebcf70b4522dec5649b085ae68ac623ed2cc593c4509024dfdfc3ae8d970434905d83caa9814346e6d00d

C:\Users\Admin\AppData\Local\Temp\UkUq.exe

MD5 71ef72de4b0c65494866b4d1842d7b25
SHA1 79c3af9825fabe34ddbe62f262b77fcff02f8966
SHA256 33b7f27a3a32b638e9a326f9eac0ceb0ec2a23d7ef4a218ebc7edad2b49ab6b5
SHA512 9ed967e244163c457a7e9db5b4091329ef801766a67645345b6d195c4995d659653cbb26c17e12e05ea9c88d90e3f8b5fa0158a5be4140ae98818490e159d6fd

C:\Users\Admin\AppData\Local\Temp\eUww.exe

MD5 5c7e1cd376fff13e72800d9144c8243f
SHA1 aa63920361953a0bb3e72354ddd51fbbecc8170b
SHA256 b88734c3921cecabc5a85951049c471461fd8d4f3374b1f22dd1f1ce7e0290e3
SHA512 e4b07afe906f114caf2e4c1706849e5098ec0a284568b96e54f14aabb67676303ca5675515056b9201064f0f1362ecc64cdf122ff9294086103652d08ed6d102

C:\Users\Admin\AppData\Local\Temp\EIkM.exe

MD5 2216911fb0ad580d10ea844127b57b99
SHA1 f0a5372f72074c487bd8803065f4517b64bf6ded
SHA256 ea097c633fbe067e581bed7f8be46db8a807586fa533bb1e9217aaa4d4ad28d1
SHA512 9df9d71e8992eb01ff1c91f42d0fa073b5e91023e294de0cac74d89b30027bdb1e5b774a5ab56e4b97f3650dc72f1c8c035542986041d1e76de3214423aeb897

C:\Users\Admin\AppData\Local\Temp\AwYe.exe

MD5 d3e27f0661dd0c7e346fca7229021091
SHA1 ebe813f20006474bab66d54fc8dac05f40b03e16
SHA256 695caa66b520c877c3f2ab11f71147b3a3fcca3302f4b9a8f3d202d1764e2b80
SHA512 0c6abc75bbcbf1dd6c7ca7629ee402f447c7c260e411dd840414d072e4ce33c843dd40933b9a0efcb612873a4b6579de8dd68f9cbb2daafb3a454411001c6635

C:\Users\Admin\AppData\Local\Temp\AAIm.exe

MD5 694e5c417228743f131423bcd84e89f8
SHA1 e68ba395f559c37c321f82be99bf1c18feaad914
SHA256 336ea19f845a9259610b4933389ae31ea26ecf9b08451d6b9c270b32fff57b86
SHA512 e9568c2103b8469b5f19901880bd1688ccaf423ef9e2a23c400ecdadbd428aecbfb2011ff65553fa08c9748d4ed601d6a972715a8622460cc0ff221be3735842

C:\Users\Admin\AppData\Local\Temp\qsoC.exe

MD5 30e92c9bfde18d5e8e425790464869e2
SHA1 8d54b0c74cbfe78ccb809ef0c702b7aaf263b2d3
SHA256 0e9faf6467ba38678aca31ef7ed81cc21c130877b2e6318b28d46acd0003d8f2
SHA512 93fe32c883607a3526f5cb6674602d089f0ffd6187ffe82d5bb9573937859627a4c0059c573da3cd1384a2c6f7731c3fb446a87f1ecbde0af469e8c94ee94e2e

C:\Users\Admin\AppData\Local\Temp\ysgQ.exe

MD5 9593aefdace9493888817e681556acf3
SHA1 f08840ef5d5d2f5a1084a975dc3f4faa597a366a
SHA256 1b17b99c00a8f9fd77758d2c7bb9f274f1e5b71c1185b3f3a1b9c5482c6bca2f
SHA512 628a0966f0a58242bdd5ef3c2f266e8b3062b745f56e170e84318147061efb262ad020b3748416d67166ab24265242053fcd1c0bc1123dacfc4752b4a8f7f17c

C:\Users\Admin\AppData\Local\Temp\XKssIkUU.bat

MD5 3a7620a07dd184a6fadff09ecd39a1bc
SHA1 66e764b2192eb99672143d7e7c88d500cf27b9ee
SHA256 f1d74ec95da2127e84730533fe4966dd43de00f923414c163a6af3c1ff972508
SHA512 c11d9b65c20f603ec05fad94ec976d7700c71dbb59215ec88de98d57d2b16fc34dce52666b409d1abfe5fbb1a005610f23f60a1a9f1b9a80063b7c1c9988382f

C:\Users\Admin\AppData\Local\Temp\uMEs.exe

MD5 a8250d1fc0622f4f23993d213b7d27ab
SHA1 c18016bb29d1429af38f9293dbbdbee3243200c7
SHA256 ba44e5fe13e7037f00c29fb3e5b8f1964df5654c45967599701d1c76c35ac5a1
SHA512 c87ab05edee4f05140de1aa87e8a3c3b43bbe1fccc6d4fe40cd9404311dbffafadad44ed35211316d467b31acc4a0e260880498dabc78525e79251d3af7e9f08

C:\Users\Admin\AppData\Local\Temp\uggQ.exe

MD5 f2bc16e3a45c67a3d7765efd58407efc
SHA1 9f30df599c9abf4ab139c8c18e48bc49dc2ed77e
SHA256 c59dce9cda6e651a6dd16c080e93ca07030b351fe5ca7a4e0000b37e63cad72d
SHA512 19ce822cb8a17d2f39aef72b72083f3613404cf3dd2b37d349507f6c63f1f216d43f90389573549ce10ea56560d1d10dac8a0c6a29dd31d4eba82f2323caa575

C:\Users\Admin\AppData\Local\Temp\IQsY.exe

MD5 23b985dda5ef41dbe0ef31781c4f10e6
SHA1 ba84d7caa4226497d0b56478860c555b19010dd5
SHA256 0b1163f2f1d1d4e963f240f051e29706dc69fb3a9ed41e657f5cda65a5ed9f76
SHA512 357bd8ce8cd3543e159f83193769e2c2b87c715582b952e03159995b3ba67c24b6853efc8031e48c86bc6370fd054764dda1bacf39662f0d4a84beb46cf3a0eb

C:\Users\Admin\AppData\Local\Temp\owEa.exe

MD5 2983e1bb85a995bdad5a41197525e8a0
SHA1 4673639d6372c017b8cd3df6c4602590f5c9cc06
SHA256 9f39e3c35eb4ca95d525411be8779c9ccd36c289b4d74825ed9f8be2dcf8ab53
SHA512 a262088a34443a221faecd86b8f7879d4f08c95f317bbb8a082be8564959f9a5573dc14ba807d0ca345f0f2452b77b61eca208a1c33b5602f32d69d18b492d7c

C:\Users\Admin\AppData\Local\Temp\ygoG.exe

MD5 afa8d320a9d79083d4ac3f5c285e2620
SHA1 79ef79f02af90f1c1cff2a52e2dc92e07a126882
SHA256 3d8ab4f398893f5dfabb6ea2c0e3c40b526f9b695296d870a0ceb47c23324dbb
SHA512 778cd555bab6f189a71d30c485d397651f6b42194e28909d0bacc4a7ec3d94fe21dcaf7962efd60693def7a5b087280a2e7f296fadab8c1a4c78761594165f4c

C:\Users\Admin\AppData\Local\Temp\qIYw.exe

MD5 c19b3985568c5a1c5108aa64d3f6ebef
SHA1 83b82aea0bd04ef278d29ae39beeef6c43dddc48
SHA256 8eca995be5d47fc2a211f2577c56a602819f9a473068a9117690a6bebfe6b07a
SHA512 3eec5b784f0d38c6341436e2b2f93d11006dc1f281b30d42c743b8d78f69d8e2937d12aebd887874567d0170f25bcc6c32d09124fb36943c45e1d5e1b855924e

C:\Users\Admin\AppData\Local\Temp\KgcY.exe

MD5 d82e9b833c24a27087dad2c51b2c685b
SHA1 f8e373ceba4a170fa20725a7d6a5c4deae6d0352
SHA256 d86ec146e352664b92099d540bf35bd1c3cac85535f542f6ed108eac4d659f5a
SHA512 0a1e009cb0614888e28c5bade71051773b9541a413d3200df80e8fccd02437689273ce2e421044aaa1a5dfb4373c056de2313e90381934db5e3cf1d5145e156a

C:\Users\Admin\AppData\Local\Temp\AoEE.exe

MD5 2e1249c680df9e406e706ee6ba492172
SHA1 41fcc2cd097e77c9e65c18535b7f19a56bba550f
SHA256 09df72fad84239ad243e344ac4d40b77f2ffe68c8df8e31be0a2d0c4a6d2fcf8
SHA512 e6b4609e29e9ca8a10b18d3087628d7ff7ffdbfd164d5e06b34475ab8b3332bab0e53aa5e97901e522f4a0b77de0f96a303ce97b924e0f10f3408e5949b5ffb2

C:\Users\Admin\AppData\Local\Temp\gowM.exe

MD5 7d976e45cd25c046cb758d8238a52229
SHA1 3a34be9a35a33dfa9fd8efd13272dac12a19c538
SHA256 263a44fdff85793c39a8cc262903650dcc43fa4704006c607df1c39de3b34b4b
SHA512 a1b8d298a16a1e2472ace9168fdd5efe9a73a7a675cc3755c88f1a2ccbabb60169613a5f97de05ee556d95bc9e4a49244aca1a08ba00674fdab162538aa6dbcd

C:\Users\Admin\AppData\Local\Temp\gYoO.exe

MD5 9dba4312efb444e1d19a4756bf3f96d0
SHA1 c6980a51c8131b3eedf4df8a785826bf5235f315
SHA256 c8ffb91e3f6c10081c8519c949ae0312358bdeaf84fbd47cb89a2c60b9870627
SHA512 65982f29a5ee1e6bedbb669a636f0a5ceb57f830014e6abd2e6582f2f50053d3dc516978be524ac52e54a4e857993a5fe0b8424c7323cc90c7d12c240e717ecc

C:\Users\Admin\AppData\Local\Temp\UMMI.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\uYou.exe

MD5 4bd741da1d75dae265c3f5fc8a6745e3
SHA1 c929dfe00c6f37365356d76a419a3b84b84cc24a
SHA256 1dc0593352fa80087cc305a0bf499017682e78484e8bacc1f5867db683679c1e
SHA512 d4c117b29211a27f31e417a1ffc1e1225180b856096b07361a9b8815ace4ceb2f525b0ad3928c9fdc78e9d0ecd25be48a1f4afce530ebe7108df384b57d499d3

C:\Users\Admin\AppData\Local\Temp\ZGsUQQYc.bat

MD5 314e7eeb069b2b1cf043800a2e05491c
SHA1 3584bdde137d3ab0f67d2046c5f441ec001579af
SHA256 9fadb203f499fb540e1de340ba1cc11e767824887a5bf80e37a35a4eb2035808
SHA512 eb2385d695d4dc0d041ffda9457d5d5311b4b877194c9e48939eaa62d0dc101a0a7b6765f3e766c1c82abe71e8fc9764cce282a8a38b9e482c676d26ed970f11

memory/2392-1204-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAcW.exe

MD5 81d66b954a0d97a6fe3c9a7f89822137
SHA1 d537028703c0f2e333aa6449f9d75eb39eb6b0f8
SHA256 b5d87eb3522f7d26ac6a3d951f77bea64b0de017eb233ae60fcce4bdef40cf3f
SHA512 d88d26cc8f0d5f6611b990aa1318b98fd330f8c1d953183cde8acc14e61a42a5a798bbe79e0e86cf40d6c4c1740009a20d4590e399e2194a43ea50e8cd4f0f4f

C:\Users\Admin\AppData\Local\Temp\sEAw.exe

MD5 16be9be53c962f587060b88359893171
SHA1 818b841f83d2a0ace4bdc66c658dc5c95514c759
SHA256 4479b551b2c6565a8e8de921877cac9d008472fd94e710eead1a4a49ef523ebd
SHA512 281085d8a71d6f0de2e1732521213ee7323124f20a952eaf9f40c5c95fd9a743388a82a9b42d2eec39af1bd93a054caaed2ecda738e4d3fbd10e4ab3219a67d3

C:\Users\Admin\AppData\Local\Temp\kYMi.exe

MD5 be62e8f4e838cf26a4184702e8fbc0e9
SHA1 0c4d85ec1d181c38c61b6c0adc1406ccf9ae5d78
SHA256 46213dc6cba36a95d526098b9397478809f916a0a1ac82f9d7f26c464452b978
SHA512 8e510bcf090474fbfa36aa2272d31e91eadaf64eecfec919c5912fde2fbff33d827dbbd412039fac407bff7f7161cef606ca2fc7da7549b93f3d0e1378ad2b3a

C:\Users\Admin\AppData\Local\Temp\asIE.exe

MD5 2ed43d3f117d8322709d2d1d67496f9a
SHA1 55862e6bec875953d182184f5bd72c749a79a024
SHA256 05167c25e8ac0649a4800878d2b11b6fb73d6195800032944ccbe029ee8b2c91
SHA512 206759c68755fa73a48a1421a1af082b9b179ebebb77e16458ab2b3a012b9cdb6e7164313bfcab4ef9d4d1ea7544f4782bac92d063a69acb48bc618af7e778ef

C:\Users\Admin\AppData\Local\Temp\AoUu.exe

MD5 8dc8b725527b7231f046874f99d0e36a
SHA1 34eb77f93ddd7fb7d22f138e0ae58721cda111e3
SHA256 0be6771a0977e658efa195845828960e4a257d0f9759db2232772f784b2855c3
SHA512 9ba3003116769349558f1dc7a31281489c67db106c8a60c20899b8332bb13242bd2dd5e9149d08cb16cd99edf5c719a723a444d689ecc6a7753526d6bd583419

C:\Users\Admin\AppData\Local\Temp\iUIy.exe

MD5 20cff14384eb2c46385ce69231a32592
SHA1 1f45001eab622ae3cf73519eb8ca2d33cea51eaf
SHA256 1421280bd42a98cc4cc9da533d6a2d604ea408677740f936c4682624f711b6a7
SHA512 9063a577e2e7c17b76075cb7a9c2ae4ce227adbfb714aa461483ff7816b04cfbd5e8efff31d1ad14ddf952ec84ab371c6393059383b16b951b318a9a85d967d2

C:\Users\Admin\AppData\Local\Temp\gckc.exe

MD5 08e9f14b902a519bff28a2e2ed7f854a
SHA1 dda38d622ca38d2e6f65519c423c46d1d8d2587e
SHA256 27d2fb28d71483a50122a888ad95e83b678aa5b9d3cefa6b9ed01c45852b1b0e
SHA512 3ee7a1f3a7275dfdd5f2bf13ee38421cd87cd1d5f897063b95816bd8adc7cec4a10037dfb5f848aa50449d8937b7676fb9ca0eed2278e9b981de6ba145c78ae4

C:\Users\Admin\AppData\Local\Temp\IEkW.exe

MD5 43f98dd28806573ecf258868b9b61843
SHA1 dbea8b91bef7a1be4032206a6076bfa976363498
SHA256 45137cf7c010b942abdb38cb7ef61a87d8564c0d6bf52b3b200a305b3ec670a6
SHA512 59ea6ebaaae322cc8420505ec080c23078612f469fbb239660827c7053474a39c854ed72492cee546cad470d00bde7957b9c7c88d1e6de2aa776df353adc1471

C:\Users\Admin\AppData\Local\Temp\QscE.exe

MD5 7fa77607094d505b58876fad0afedb7c
SHA1 3bc286e6367fc2e9c8491baf10efb2ee1cf17bfe
SHA256 2bbb3c5333008c41e92768001cbc67c5a37bf91033dfbf7d3bf3e1c7182bbca9
SHA512 915d08ba080346945487ccb6ec7678d05044a05c27822c2dce154788eb5f601462eaace485dd89caae8f5fe94617304794dca90febec9af1955c7f706e0e8ddf

C:\Users\Admin\AppData\Local\Temp\Osgm.exe

MD5 2d2e4e54c0f3305eadc547ad569f2679
SHA1 ad6d4f0ab37652476d47ac962825a468cefd3220
SHA256 1984d3f5b1eb95febac94c7620ff1427a5cad3abf36accd7e945b40fb24f54ff
SHA512 c535b14832275e7f63916931f8c7ae6aa732663918000bb0a7737cf79626d7ecca2496625f678e1b893c0badef7eefa2d61796c3ceb703d1e396b9137d9b8c8f

C:\Users\Admin\AppData\Local\Temp\Kcww.exe

MD5 4b307cbf12f806a3912344d92f44c459
SHA1 7346f568c3989ca9294f96a22ef920672ad75eff
SHA256 d0a06af235fa867e18b99ee25826a1d0b69e78ea8aae0b7f42230a77bd884fa6
SHA512 d2a7e0e6dad7937550f7bb27efbf1dbbf586492f1c0d192c915b5c195204cb377bf7134cbc4934d2501b9d27929fde96419c1a4fef9ec7faa61ab6e660f71759

C:\Users\Admin\AppData\Local\Temp\iMAM.exe

MD5 7465761d256af78b70b932a52aec65b2
SHA1 6508a50c909d98a2a0907435d8bf5fe5a5f030c1
SHA256 a3c438a47dea57f4c40f372041805a85c487a153bedfee48848782db4723570d
SHA512 d3702cb0f40325b1ad6d0f2e2fe31c007e1ba55781ba442c0a274cd06a661ad4b50468d118f96f844fe5ef91854f38cd4bab09d9616ed32807bfebfd0b444d54

C:\Users\Admin\AppData\Local\Temp\uAoK.exe

MD5 f9310fc0f0f05e5fb55ee4777b22d546
SHA1 54c33e4416a896ab46f64ea57fc3e0f1f5891b86
SHA256 a7048c7b1f0c7def72c2ea8c24e5c8e539fa0720fc628d1b22c97ddbd51c261c
SHA512 358e0d3d6c426871fb89a513a1f379d0d6e516b3acbc2d717fb69c4fa5b8992b238d6eeca198c607e8729813c6a902b428af5d019c8dd9451e44a166dac07064

C:\Users\Admin\AppData\Local\Temp\qccE.exe

MD5 86d399e562d971d64083d45d4be020f8
SHA1 af21e6bcf27ccaf90d011f953caae92644ad469e
SHA256 eabc857b77c3717a34f2d68d4b0b0bdff456cf57a07446f2a83390c8e4e83346
SHA512 664b9b224ba76c4b4f16b2ab25a00710817677def10859b364fc45cb8f6bfc4d8d417e84debb15fd8f4762a12a95602380145578f32e8fd487869f4d52f3a01b

C:\Users\Admin\AppData\Local\Temp\AygIcUAo.bat

MD5 6a50bef629a10cf6d53992bbe16b25de
SHA1 cfbbd5ebffe50eac59a9dc37d594635d31e4d515
SHA256 0575a5b93e78e6e975722c183f6c2f459c449ee62d616e137b5324edda3cdc30
SHA512 74446b1c5b33f35d30be2be03308cfe86349d4b3e8fb9282b6d8e616f36abe4dc33fb852c217a347243c5646d38f68fdbb9669949a02ce04647d2f94b9c541ea

C:\Users\Admin\AppData\Local\Temp\kscU.exe

MD5 841cd11b94fe012707b5d7e48954225f
SHA1 1d080db4a52a4dc9e33203bbc479c90d8b0fb0b3
SHA256 e9b2fb4863d640391ba153cd4d2c5197849665efb2a68839271bc844b6bd1960
SHA512 f7ba802d76f1343728ee8eebcde7912dcf6a959275726cd7934a6a1262ac05caf4b60a04422145f614b209d978d054b19c82bdb31d2b7e2ab1af605bb0accb37

C:\Users\Admin\AppData\Local\Temp\kUEa.exe

MD5 ac08cbb738f2f5d444b7f35fb7ad3478
SHA1 3233b5f88b91f4e6c3568575cb14bdcb14dda899
SHA256 e6da1f9aa714e5c0513aabd7d35349463b898286d1012a0bf7cbd5afe06dfcb3
SHA512 9bf4faca84bd710c81a5447e1b713bd6278ac2e4e75ec5e80ffab051ac84889c439315f4c5ce77b5553be2be79f187908705c724e527fedb1fb84eee8f52fef9

C:\Users\Admin\AppData\Local\Temp\wMYU.exe

MD5 7e27700fd1e355382d892e44068d3ef5
SHA1 49437441cf2964da2ca0c97c135a3a782e7835ec
SHA256 bb8aac32c99000c49e1eb84dcd437146a46f19f1f3ae8e2dcd4a0d575b3d44a1
SHA512 ec09727e1bae57df14e0eb9445e01a37acce49d9f1b54a28e5ff8deba9c7a4177cb88c893abc6198a5c5e0d96b735e7918d707f48c0461d336eea7a90714a4f0

C:\Users\Admin\AppData\Local\Temp\uwsy.exe

MD5 0b38f22338d0f041a9d08198be563075
SHA1 ec6d6f7374c989708854a39a801088884d233d0a
SHA256 35cebc2c77aa97a34df0f4c67e756fba4b770067bdc673c05ab6ab1d0d644fc4
SHA512 0a911d7f1d311049478f37820c79e944eea9cc5b15c8bab9a2f4e6e93d035659f59c5eb6358a9b4bb59934a610df936092229f129b2c9b32f8b68abc436f2f88

C:\Users\Admin\AppData\Local\Temp\OUgQ.exe

MD5 9afbb1ec54ca85219ceaf25e1a8530cd
SHA1 b180009863a03e4e9738de3c20e542d864e6d2a0
SHA256 b38ffd518107804ebee6c6b4fef52ac1737c01aa38d0cd6a7fbf83c7bfcbabf4
SHA512 1e6d9ab8c9fd87a585b1c0ba2e0338450594f45929b5438210071782e30a032495a87ca88751ba8278a1074f06fc33998460c8e088083d69cc07f47f3f416cca

C:\Users\Admin\AppData\Local\Temp\OsAI.exe

MD5 75aa3e0a87ffaf45059ad0eedc1d6335
SHA1 274d87c1798d1add87e5dcfc7c0f0f2a441564f1
SHA256 2fc9fa062a9393e835ff0a60f4edcec2ba6bbc188fb815dfa6c6534ec36cd8db
SHA512 2e2b9d2acd8a04d596c939f41575aa087b3b7680b1fccd97518e3979d5f1a6b224cfbfad82757cf28db3bbcd1d097b1b7231d354feec5165aa4deb844857157f

C:\Users\Admin\AppData\Local\Temp\escu.exe

MD5 ea1134e2aed1e2bafcbf29828ef0ec7c
SHA1 3720d27fea03aa7feb69fbd2d87622367be3ca5c
SHA256 2477a86656d23fa9592adeeba0d0316e36dcef00baeec1881c7b52cb2ad16dc5
SHA512 911f7e2d47a79a37846c9cbf0d677c60ca999164759606e04efae809c3644e30aaa745bab331fe5ff8b45b45b075968a0b43cf110a8bd06f44ba5d586c337257

C:\Users\Admin\AppData\Local\Temp\EcUs.exe

MD5 9c6a620aa1254bc52c689f5988789989
SHA1 90e196cf2ebbe82e8e5ee73ef4b6b601c7809415
SHA256 c79d747bb04b7febb635e1cd13859a24840c3c1645d095b0713def3b1d355a33
SHA512 1614ff9cd394d23ea85cee91e09518a961a57e48d420a7b396f5d7612921bb7325e2d8f851cb3cede1f34122307974c68d6893c8433744981a5597d686929051

C:\Users\Admin\AppData\Local\Temp\CMAkMgYY.bat

MD5 6d61108181b62c61e36c05054f50cc1b
SHA1 bb0d5b0f4f3c777706dd2670198b2f2ff162bea7
SHA256 a5a63f7329861d8e855d9c9f026dc0d536d404789714e493264ab7a6fa25235a
SHA512 0bfc6f3af1ba9a8ae8af468e3870fd2a148669c53be39c04791c49d0e916a77a1cac452e001e7a75a641597e474e0afa69feca8d877dfcd9f12ba34d1b856935

C:\Users\Admin\AppData\Local\Temp\KUEm.exe

MD5 406395d51366d9f7276d4d180c292a07
SHA1 5ac17ca9c25e8cf3f8bb59380074634f826cbb24
SHA256 3226382ad0eac1ea49f925e3d52ecb2e30fb53e85a482bb7dac53434d498fd68
SHA512 97018a268cb2a81fd4fe2631c80926023cac465cd2de036c95724daf89231547f3e48128501da5a625f7cdbcdf75430f03534f25d1e20db8a58cca02466e21c1

C:\Users\Admin\AppData\Local\Temp\yYYq.exe

MD5 2696e76b3f8bbbad1986b44ac3c455c7
SHA1 bcfafa357efbb6ac50b36618098840c9df810778
SHA256 f997257c308b9fc022624595d965f900804793c7dfa33bbcc2e1da17426160b9
SHA512 48717b8d51059e3b2dd3945fb4e7cf68c41ff17f6442c84d847e6cc5813ebe6717953628ac5a587cb4d33fc2cb9cc986eb397a8d28205834f0d6695bb1473e4e

C:\Users\Admin\AppData\Local\Temp\EskE.exe

MD5 d9b2ba7cbc8a3310a505e76c9ae46c04
SHA1 941c1df5bc1443bfcc4207958588a4106243e847
SHA256 7767fbc649808db591a6df3835ac29dba113be2d56282fbea05b5a2abc387e77
SHA512 76168377a11f614e11daaf68418d5db824f4f72a27df8f104a0aed8a2e054f5df80cebea24dd0cfadc323f8c7ee519dad8f907009c469d4f906e49dd69ed919f

C:\Users\Admin\AppData\Local\Temp\uwEy.exe

MD5 20ba783c93ce3227f92e8479b7d07ae6
SHA1 937173b4a66a8460f34173cc606d779a589f49f6
SHA256 52153879526e5f3122705c788b9af1c67d3b3a681a243f3199257ee9e1f2b8c6
SHA512 e351a2ce1dae58f2fbda8c853ad2aa625ddb75f56f8e3dcb17687cbad5e790675a3df75d4427b08117a55366c02de012414845148a52cecf762805273fd5e232

C:\Users\Admin\AppData\Local\Temp\KsYu.exe

MD5 f79e2effdc4715b7e999da40c88109cb
SHA1 ca75983f4c42b381d7596d5221ab56f7e6fe3ea5
SHA256 5c05ec62af1ef16150effb9e04ede3017a6947fc21225531750e0310c3331279
SHA512 c70f9e4122c82e68e5cfd03c20ba456e79324015ee4076685a3e2bcfbb5ba66740f263f8e9522832b34fe768bc06ae13ad40c91d6002822d84c431825fb12fc7

C:\Users\Admin\AppData\Local\Temp\CwoG.exe

MD5 40c37b235900775412d6e47ec902dd07
SHA1 88afa328ed921c623c1a6a0a5040473beb46473f
SHA256 7caf1a01b65f3ea1453a8dc28a9f94956f07f3910d0c31d7c164c4c1fa466848
SHA512 709c9ab64482ae3b3e8405b5074a0f6644acf250b8672c2aa4490428953fce3b22bac92c73ac05b03b344a7ead4d6f1a5ef09f419d9c6709b63115a1d71176b6

C:\Users\Admin\AppData\Local\Temp\UYUw.exe

MD5 8210703589aabd7aa1cd27735a4c052d
SHA1 0154e4a8029d112f5e112d5ee710ab9e53125184
SHA256 8d020611f6d0398063166304c7571da84f70e31ae80e6e10ca42cfaf2b8954f4
SHA512 b574c1c98d35949c45f6823e18bdc7ac849baeac441828b36b1c272149390bca9462b7a093aae85ea66c5fcd2c2f020bafce188d02162952ece54196a755f247

C:\Users\Admin\AppData\Local\Temp\mwMu.exe

MD5 f8a6da1f5bb60a4d63a928b41cf8a69a
SHA1 a57f98fb81860f3bb8a97bc756d2f057b9cc7c27
SHA256 03b239f73d6f802367bf6fbe8fe224160f4817daa9f79e544407686d48b4a4ac
SHA512 55fba2f3d731e53e15a880fb1e2f47346d3190c54864e2f8f3cd7c33bd6410b463a5cbcb7f1e2927defcd992c1bcbb5aa2f0ce8661f3a56265b1156d814caf69

C:\Users\Admin\AppData\Local\Temp\KsEQ.exe

MD5 05d2f2f3a7e08d74b6a3eb756e87ece4
SHA1 2e4635651c3d76942b312413178df4341488c048
SHA256 bd8832bb2ec01185ae7e90d4f8afba810815fc62d7a4a77a6d86a775abe87c6d
SHA512 9570a9a2a8056a9d8bf80f46faf7e65c683c8162a5cf8a58fa268fedae051330c7d32d073afb0de58a9d328f74c42353c74c5504d31b8a1f386a9dff893d8fa7

C:\Users\Admin\AppData\Local\Temp\asQwcUwg.bat

MD5 5f51992cf0271ed9f8ff6472782192cb
SHA1 eada4bc6c4dae465ba6aab1746c4d0562120d068
SHA256 941c85fdb0b0f9c85f01d909fcfa42886d2d38c9e4ef33c0486c7811672fd443
SHA512 bb7a8b5ec8a3fc13495fd3bc04461de6b321e71119dd3d7d0c6d82dee1e4e55b6c3b18fc9cca47e9a546af2fa5700aeb02cf4d7752fff4357effe1fa877a2601

C:\Users\Admin\AppData\Local\Temp\gocq.exe

MD5 3c7b946eb1c2bd0f523823693763c64d
SHA1 ad66a642ce747daf5eddbc9730fdc2a942d470af
SHA256 030f620fb8b9b3a1c89be7ee1a83f197d23b68028f07db6bfd42160caed72ef2
SHA512 18359570b1799de6710d17856a4c54710947ddb73b281503608c005e7f9144b9c826de0c9ba78c9ca6221ed76fbf38dfa49b96139eb1f14a8062bb83f118aa42

C:\Users\Admin\AppData\Local\Temp\Mkgg.exe

MD5 2525946e605b6550da3305db1a135d75
SHA1 fb8885812a13b0e135c10b1669084cae27f728f6
SHA256 527a5c1f0e8a4d65187613a4bdfad122c0a7d296203f75e0f2b101b74b8142b6
SHA512 2b620e0988de0cf1f8f0e0b12b48f8afc4086be8bed07d9027bc640db0350c77674c61e335e2f0d72cbd0ad84bc8034a3adfaa5aa01824aef581d46ee9d1bd71

C:\Users\Admin\AppData\Local\Temp\YAMi.exe

MD5 06e6e619f7e923b2b79247484d9ef51a
SHA1 4ef1bb35a90db1ab8ade12b0626343ff1a606836
SHA256 e124cf66e82cfff581e5ba02b16b5ffb68ee072ce199c031802d021dd3937f3d
SHA512 ff41ce35af17422dcee33209a2285af29bc9d783d648e5f621ed84f009c637713b2816dae1c45cd5e3abe54d61f22ae9db041a128b4f9099b80d04eadf173e49

C:\Users\Admin\AppData\Local\Temp\OkMe.exe

MD5 e9cafc3e56d79dd74904a55724b88ce4
SHA1 2944c1f19f673ce449a8628067556893b9db3687
SHA256 b22931aec6db8cf4c1a8eb0116046fe9c0b7593a00b60031ca68dfc45ccd5b5d
SHA512 069dfe41b1cee3347696bae265a8aa4293a1ae2e095bc3b33f15a4325a0c2f7281ae970c05d4afe6faf86e54ce6f13845120f69fa7a1300f79f4e1e0e6aff49c

C:\Users\Admin\AppData\Local\Temp\qYsu.exe

MD5 befbe87e46822371b0232e803591ee1a
SHA1 ca0ea975afa07401c216b75bbea212bdc21fb685
SHA256 d4c6a3016afd8cc108ee497d31e2bb1d312470d2bf3dc0a8ea1641d9bc9199c1
SHA512 97d8d33537dfe42bef0e4e4d9bf94e3c6e05ac4382c262ba4a2962e1737f0250c1c8d8aa71ebd323517424015563f0eb429dbe88b6765a8b13aca0c39842e003

C:\Users\Admin\AppData\Local\Temp\VKsUEUIE.bat

MD5 0ad4e42c449fb56446a733e67ca3ca86
SHA1 b78133c76690e5af2624fda16ca9f4b7c1c57808
SHA256 f3ea18a3fe3b170aa1fed10302b737a6f09d13caf096754addc71c76906da7bf
SHA512 8d229f0033773e8b2266ceaefaa0cd18a6207146f92c9c2f5d13c36859ff2b5fc3cb5d1a2902b0aaa2e541f2d0dab7868ee5e4a890f02c8659af31548e4c525e

C:\Users\Admin\AppData\Local\Temp\IUAC.exe

MD5 f9f3883031598335912a679b3a357f2d
SHA1 c60314ea4daa504b65a28710645d12e43796f785
SHA256 852cb5edd793d3dc1bdcdc2b66ca04a52ccad6a511f3e658fa3d642076619771
SHA512 f891bb1ca192a8b615f007fed975be639bce9ba64d9fb77358e6288e7fcdc81553320ebcf06a62e4a957dd9b8218ca861c19be907a74ae8457839ceb6e4ab3fa

C:\Users\Admin\AppData\Local\Temp\KucI.ico

MD5 8e03abdaa3016247fdd755b7130384bc
SHA1 08dd2d9541e1961b06957fe9a19ce83aeff51a5d
SHA256 42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8
SHA512 e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

C:\Users\Admin\AppData\Local\Temp\OcEU.exe

MD5 9231c617f9d7e255679c65962586411e
SHA1 8af50721075aeae983c2e2745559897384af0b52
SHA256 917294483efe865155396f1a0a972b31bd0fbe7e1085c8b2f72eedac8a8a5658
SHA512 e04868595dfb76856d7d78f78f3dcc177dd99d9687814f3d5d05521cf8a1538294a0b04b369895413afc15a6246f2ecd38a0831b0a11c4b954db18ca90f94239

C:\Users\Admin\AppData\Local\Temp\OYMc.exe

MD5 4a30f50858ab3615d737c23534738040
SHA1 32bcd35dfc29ff164ed6f659dc04ddaa65b2c5f8
SHA256 bae962ebee1675f29a2529054f2d57c36547aca5edfad7536bd41e84e06ca4e3
SHA512 dab913eca47509cfffe3b842621255e5504de63fa3e313e34f591d278f9e51348ba3e7b2deb45c9411f7b54c01eaac4d836229dfb9c31aede771581ec50ef51c

C:\Users\Admin\AppData\Local\Temp\occE.exe

MD5 9e721c10f4698d58b3f9b085f9988f6c
SHA1 079c562d2b940368cde0e10c784a1c6e7b3af8a8
SHA256 1f0afec3caec461c072dc54bc46e4c1db31e09a362159c370e2ee781033953b3
SHA512 ca1642a813e2ddace6c733ab5e287491cffd291a078ba46c98bf545332bb212a3be785db6aad0b5e890919de9b0233771a7ea1dd30e46151cbdf71b20bbcb510

C:\Users\Admin\AppData\Local\Temp\swEQ.exe

MD5 cb6421610ace647f06198729a5053f86
SHA1 d8afdaa73f01113366e488e6e8233a35228bc257
SHA256 f9655af68ef168eb081d641b1bee5a76e82a09d57a3cea953ed32d89a89151cb
SHA512 6d9954b13b0e00ad7e1e46ed6f5e92d5e693ac03087530ef784d6ad204d2bbde4d930331f780ae4ed23356f66ff274fa56514305ed819ee4e45c9adf7b0038b1

C:\Users\Admin\AppData\Local\Temp\Wwco.exe

MD5 23042e7500e41a323a14a23b32465afe
SHA1 44bd7783eb26fd6c7fa209e5fcd7b6ba7b37ff5f
SHA256 da7a5b0218e652fd5f1e6cf86889de756f501d15dd66a02e23d2e5c47aba2421
SHA512 4e0f69db66316c791a53bb66aef6063d59f03e29789bde62622f41269baa43d0b343fb19f297e76baf22a7bae09d9af4b9c526b35621ff68a67bae37bdbb1da8

C:\Users\Admin\AppData\Local\Temp\mwMs.exe

MD5 fde2053437c28d4eb51817f9f3041ad3
SHA1 561afd56c469090f1e402ec970bc8ba0c2e08dad
SHA256 8ec0ccb376136c32091c707a2b6e638324d4e2b38d4e5c2207fc7becdc9b5da9
SHA512 955801b9fd869adf3ab1dccdd6e2969c40e582e3bb20b12d7de09ea7286e6d3436ae01cd3770ce739c02b96d168f4397b6e5e9ef75172c6756967792d909ebf6

C:\Users\Admin\AppData\Local\Temp\BQQUwQcQ.bat

MD5 e59a1ecdd36ef4ab1b433130fb334b8d
SHA1 b60a813d9818d8e4b65711d9b43d74f2b260ee42
SHA256 00d834e2c0d6f01de235f2c07e8e0d1d962c3a633581e1230adf0357a04d817f
SHA512 513923bf7e96c3bba98989ec31a628c23b914873b9866c6c53fa5a2c46928609cb0fd7af3c63bc6d58fbbfb243a814e8c3f155aebeb78d553bbab74d1ca55635

C:\Users\Admin\AppData\Local\Temp\McQk.ico

MD5 31b08fa4eec93140c129459a1f6fee05
SHA1 2398072762bb4d85c43b0753eebf4c4db093614f
SHA256 bb4db0f860a9999628e7d43a3cfc5cd51774553937702b4e84fb24f224bc92e6
SHA512 818a0e07a99a12be2114873298363894b3567d71e6aa9ce8b4a24c3b1bb92247450148f9b73386a8144635080be9bb99a713f7ba99cb74f8e82d01234000074d

C:\Users\Admin\AppData\Local\Temp\OsUw.exe

MD5 7db0fd0012c4e0ee2adefaf87eeb32e3
SHA1 3a4fb25a2a01a7079a58f874c28710917388e072
SHA256 78498aff0c3a7cb244918336b7073def6033dcba9eeddbe78fc69852292cf34e
SHA512 62a42a7efa734cd065d80aaa83ba5de3bdbd6c6b4cd82cb130a98c05490a85a1b43c2fe241d42881f621e73fc0854b39dcdef7abb38e1b31fccd043c8e29bbcb

C:\Users\Admin\AppData\Local\Temp\mggo.exe

MD5 5ea6bc1d82ac424e3a29a08158811093
SHA1 6d23f943aae0c5bb92004a823b300039f973f084
SHA256 0f29dca725cfac0ced14879f9e1d603d51d0f6dc0815b3e1349b1ba18e6e1856
SHA512 8e2070b7b49cd889147ff556ff2520e7a69ad2f3f9419365e24bc1920b49b16449dc093d2c9a26f44516a4c3e08485d7a13e0c7e53a9ace603691aa5ab27fd5a

C:\Users\Admin\AppData\Local\Temp\cYku.exe

MD5 2ef6980e7b16e7cca71340f058a02ddf
SHA1 efcd59f8246703675f35abe4a9f74e1bb27a0a2e
SHA256 f3bb707eba435e17791d24766e85ac32cfa29bd3215b4303ded0f1e5ccd23d96
SHA512 889d4afa81609927a58301baf74c4baa266d539155b7a1fed1cc5b8b4af6476ee1134458f5b20ac1c2377b15884b3436250e60bd8a2b5109ca105582cfed92a4

C:\Users\Admin\AppData\Local\Temp\OIUK.exe

MD5 51a629475a3962b41f5b92cee2e0e068
SHA1 812d90d06b6afacc66644dad8c0ed75ecad538db
SHA256 b4553e8dd9a87d50cd300de2800570fb2e7a9d6f946fc38d26c65ef6ef0af0a7
SHA512 bb1f1ecf027870f77d9985d02014b548eb9d06118b7e8f448a6bacf849131c6a1d63aa4936410f8065fc34be72618481bb8237ddf6877e9c9f446e9438690ecb

C:\Users\Admin\AppData\Local\Temp\WIsM.exe

MD5 6f923fee7e216a451f3c185adf01cfd7
SHA1 2376dc2c3d7f39ab947f622b44e3a11b6dfb8e55
SHA256 5c478c2f112a7fe11e65077cfab152651fa4a6bcf08b5eafe3e4549d0fe98f1a
SHA512 ea521c81b3688644c02af0e5432ed665a48993ebcb196ff414c79dcbc2b945ae076f3185a0428a159f78dfc8b2f81453273ffa6488ca7f9094f2ffd2e35bfe7a

C:\Users\Admin\AppData\Local\Temp\OAgC.exe

MD5 f334346ddf97266ac8a847ff6fda51d4
SHA1 03e32480aab8c6d53b9e69e7e9a5132f1e411583
SHA256 0e000cdc66c099331b019cf39f7d79c5047f3d172065dddca10df341d4ab528b
SHA512 cdc4321e371d96509024addbaebcbbb0b2dc4ac34372c6a620ae2888e8de6159fc8676c11175ecea94cae7850849c4657309aa95aa03e4799b1a4591b2ef0a99

C:\Users\Admin\AppData\Local\Temp\KsgO.exe

MD5 c953b182430016e420e276154702a2c8
SHA1 702b7e8ee1fcd28dd72c662d8037b85d40fbf91f
SHA256 dda4eb04bfd8acb2bcdf40b3fd8efa95b0e6bac437072f96d4a3e25d926b74d5
SHA512 035648f67bcd4029a28e8f64a2c45564d090427421bbdc51d3fd8f440ef7efeda22338f1d57144a2a9f6b26c61d4360cc10a586776c7fa65687eeec80b897715

C:\Users\Admin\AppData\Local\Temp\qgke.exe

MD5 f4acd262684541eefe4cc523ab4efa4a
SHA1 34e22ee03c16c0347891073948c478412b80a465
SHA256 4fdf0329640acb6c1dc681f97e783602fa102f1249afb70c99eace6ddc7974e4
SHA512 b9a57c946490c76ec6732cd5ee0cc85178679858c0954da18ec1a9c4a89d28e739f5b42b2aa35461ef363058b20c367fc0880536486f8443503bd58c9895331e

C:\Users\Admin\AppData\Local\Temp\CgAk.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\akAQ.exe

MD5 4fb5a53a9ef15676b04397357a7949e6
SHA1 4e07d93cdbd0d382a59b4e5135c0d55ede4feec1
SHA256 9b92069bdf47093ecba775680d804a9e9caf318da45d56ccf6b899bfee937b3a
SHA512 e2b738bca82a31224638bead119aa0d501837e7ee2f558ad3f9a85dd68d64a032560d70e78e3a5271db1c5dff3ccd6442162611869161d9f39e0aee48e03b71a

C:\Users\Admin\AppData\Local\Temp\CAcm.exe

MD5 2d9fa0b846ad2e33ba6ee92baed2011f
SHA1 e143a0c24693f3ec852005c780ef19f3d8dc2b0a
SHA256 ffc847f5b4009fa2d1241e496faa015bbd6f167a1f2a75d340c67fbc8cd655d7
SHA512 4dbd2eda153f625969e24c4905e0b6419283a1433864816eb52d10a00ab63471f2491ae06551857e3c726d6d504db83d2b4629e564a0e64d903c8e4aaea9924c

C:\Users\Admin\AppData\Local\Temp\sckG.exe

MD5 5fe592ebf97f76106fd411196419afec
SHA1 82bfc4ba4c1852c48d3f7217a826c32c1d95b95a
SHA256 458582cc800c2bf5f174662cc84d7d396b516db81edd8f880f4a9c98a82b5ec6
SHA512 e0615ecc3096bd1c6de8fa98c8988b0779fd63ae9b0709a31f72535bba2aaa6352965231a44eefe018d1000906a92d24576e0c86c938952b607bcc3ed0be7427

C:\Users\Admin\AppData\Local\Temp\KwIw.exe

MD5 9c056f6b5bd50c035ef22d170a624dd1
SHA1 9fb731d8f11f6e64562a932bc56e86cd77b5ee8c
SHA256 8d9729ed9d11aa972838e55bade708242ab8dffd40cdba852dbcfa90726d0056
SHA512 b6725d6c6fbf0b6e5d81651b85aa8498ede88f63e182aa7b19f2b6c2d9398eddc048b4c5247fb1cd2b8d01e022fbbfe7fb2b4790a3f6fdecd731c237ed2db40c

C:\Users\Admin\AppData\Local\Temp\swUg.exe

MD5 6a8bf76cb88af74321ee1d5d28e3ebe8
SHA1 f2dfe3941e8ba1f9026d74dbd95ca7749c3a0581
SHA256 c7597edff17b8ca7331074c131849adcad670f1dce559306d90fb02d18f4a6ee
SHA512 7d3bd0e5462519036d3fda489c0c1a4b7297d0a5404af5bbda476f1628cbbbc34deed667702cf608c14166ec610e1f3be0d7f53acc1b885af2d2e2fbba3706c0

C:\Users\Admin\AppData\Local\Temp\Ogwe.exe

MD5 ae5003d049bf91140d7b0a56840a8f77
SHA1 a68746b1f65b03cd552db7bf45d9091ca79db7f0
SHA256 426812bd7b3a8eb0618bd64d981321aee0bb4b3dc16bdb366b1ab39a85e6f126
SHA512 b320b3bd97d8b178966a4c5b84c6aa049ece47cf19430fc6b2822b72de663a4fef63e0a3630882d5e29994eba5a977a7f8a7d308698f7298794dafc88c94f1df

C:\Users\Admin\AppData\Local\Temp\oosI.exe

MD5 42ef35da47d7a118798cab6501177c76
SHA1 59127793c09f98c7d57b6d3f3cef05b8c252671d
SHA256 5a41d6c8d39eb38a9a189194b7659e1816c5636be89ef74b2ea1a2b7159322ee
SHA512 b75e3c586da1deccac17eac41cfd958d13af66f0448516b5196a5d5127f9cfc620330a874daee14ff60092c095aa2ecd96a0efb9925c12476b0c95979fe10ee7

C:\Users\Admin\AppData\Local\Temp\QAos.exe

MD5 784e56a50ffc4c22a893b225f1c5f761
SHA1 74c6623b2fd6759d635df2fe8f7c3db6556bf1f3
SHA256 e19a9c71671a5329fe0aaf059afa23dc5624e6b8ed7091fa022ec41437ba4f9f
SHA512 153427bbf684ab550008206abf58b1640c9144ad414af46a7e9e140a36810c267c07202197c8b29ba61ed2f85ae6de0bcf9b54d3f6f01eec9ef32448e8402eda

C:\Users\Admin\AppData\Local\Temp\eIgA.exe

MD5 25f3cd3aea08856b7657a8caa27332c2
SHA1 8b47f6945e26d83607eba2d10a192ffb86ad8db1
SHA256 aad06dbc7121e640a0e4be788eb7c30bb9511edd0689de70797a5508a025ca7f
SHA512 21cdf82a32e5fa8d8e8504df6e8e4b95b6324e3e7009b6b1b34f41fc0a798693637d72a139a759df1890ded933eb131e8c68459db23a38ae29943d76828875d9

C:\Users\Admin\AppData\Local\Temp\gowg.exe

MD5 afaf296ebd428b1663e0f8446b2da007
SHA1 00162cce0ad4f556d33dbbbb45073f5f30558a56
SHA256 921914f902833c8822528752fcfb6b524816ab7d294182bd824e3137bbf81bbe
SHA512 2925666545d5381c2ae4ac7413198ce74f780b8aa085998b8a1f08a50f78ea4eb9abcdcaaaec8378d3d67e597474579cdd96659fd882d82aec882b46bc093af1

C:\Users\Admin\AppData\Local\Temp\uIkS.exe

MD5 4170226239703e59f234f151d6646c57
SHA1 edfd0584c4857b30fef1ea0b2804af47fd63a058
SHA256 c34f3df92ed71b1b016fab8fcafabd69eb435d686afdfe912727027777dee123
SHA512 c01df4d723584ff47ddb8b8e7348ddf26b1a6e832353da7ba328ef0ca81e621afe9ddde2d0d850ad47688ad729d723032a6bc9fb98dfe86f197c6c9102c7f858

C:\Users\Admin\AppData\Local\Temp\Ycok.exe

MD5 0748ab4da34a9ac6486185ca62966836
SHA1 b8298013a62e9326a1b14469a4b54df6e750a1a5
SHA256 44dfd766af0bb9693ecd85b7674cb3534cc8dc6ead03d9d628524af24406cb82
SHA512 29a41a0ebfdc994c441633c016c4a5a1152be51ed1953be4ed108029d163eb34e8ad7f41267c14a07dcf1e4f1f78a6628aff4575b7b43ceefda3c40575ec4822

C:\Users\Admin\AppData\Local\Temp\MUgs.exe

MD5 0aa5494ad1776550446f52b3b09b0b7a
SHA1 083f2f5d9caba699f6a7a1d73b26a138ca4ee364
SHA256 7d284acc645206501304772b75512b093da88dffcf86f2776a04ef21d492abdc
SHA512 d7f1d7cca227e30854b39f7599f6c32afdd732c59fec00234b9ec8247176a1157bd8d934219438944661cafb0fc214dab957a6c77e679f35381301fa793c2190

C:\Users\Admin\AppData\Local\Temp\kkEa.exe

MD5 adf0f8e616a00495e9acef168cc64da0
SHA1 7aa47a5e97c1b321b10e4e9e49700c960ffd4c24
SHA256 7b4e2fd429e78cf89a72d0114c5fc610d59955a8c8564805b635b3cdf84d68a3
SHA512 af34af3cfada30b4b9063b1e12a081c1b605e3b2915cb39663ab469657e5f99b3198dbae5a7b6c75c8c54cd9e31e5f204eb5a6f391f8548336fd9ed11c85e253

C:\Users\Admin\AppData\Local\Temp\OoEq.exe

MD5 f7e8c66e648c2af2ce9bf1b5e29b9683
SHA1 1c91b17c5e830137e3606a6e71a3aba13f46b3bc
SHA256 e76c20ec5cdc8f590d9060bfacf6bc758d8753b7ea88751a329b65f25ca2c85c
SHA512 97634f9b394a5068fded05b36eb178c7c9443870508b90a1b2cff6cc2dbe159d809ec226beeecb342d96b25ff9ede8f3e6bc9df1818e25ece7381eab3864b3f4

C:\Users\Admin\AppData\Local\Temp\mwUG.exe

MD5 a0ec44c6da5b437960398062049e2794
SHA1 b13f78abe51344e5405b8420035fdea224897fdd
SHA256 ba0b8e30cc112bd6ccebb083f30f2da69d6f11eaf9a0d11f09c4c4f848a62ec3
SHA512 71165e03c43978f16ffb673b8654f16e79392a6c77b212090260e5138be1106989354e4300d83379a12a5e89055549f42515d0e9565d00926c2d3f4153bb08d4

C:\Users\Admin\AppData\Local\Temp\sccg.exe

MD5 e6d0234a12dd223ca71a8001911b7603
SHA1 b85a6663ca4074f67a4803fdf733c851d9654fc0
SHA256 bb4dfbfb072321f073f54be993937954b8bd380c13ed57a38058f946446d9773
SHA512 a1c0c0bad825ecc863c03dee8bd926e7b608a217969a3571b70a669e67371a19efb0e124c17269102638285429e47a19d742f88141484b462343696ead12f3bc

C:\Users\Admin\AppData\Local\Temp\sYou.exe

MD5 f24e25d6bb2b2c2b2f89481391f234b6
SHA1 9d3890e98f4ea304f8fd397d4431a58e8de0f667
SHA256 1611e6fe444bdff43a684b6d1996b355cf56f9229037fe4ea1f2bfc56ce7eedf
SHA512 a048f7980a01f50a0be4e5bbd7c9612fd094bb012202e6230c8d11a254bb11b24efd0c4eb192d2153fde4b6925447a85e63aa98dd3b9a361558878a2c1e05483

C:\Users\Admin\AppData\Local\Temp\WYIw.exe

MD5 6961155caf3481968e86e0f1a4627487
SHA1 6bb86aeb3888c6b25a8512f4642555f23bb9c73e
SHA256 532b4fbb5d5fd1a305c8f311cc5ea58ef2af2f04c4bcba79fdd4878a18dd586f
SHA512 9797ac4c2f2d3ed653ffa2e49fa6e7d82704c1a8b1c25ade1840179d02b9cbf77175390f38e0c80b9cc14d28a5f482e20e4cbe2bc0490bccfc798f95c23e2a9f

C:\Users\Admin\AppData\Local\Temp\uAwM.exe

MD5 3cea6a2eb14782b7d16abdeb4e5ed493
SHA1 1073cb6a457df2878cdbe7ca8c66a7c3b04938d5
SHA256 75a1e69a7d0fdcaebd8fada5580c9a0bca640b6bbde3325fc9a4fc0d413a3fb7
SHA512 6081c1b8262e8294836f044c897222ca9d4c0848348042b60c0c7a0c1fd400a8adbd64fb23abdebb0a35b3a591347111fa2280785b5e084af25b4dcb8ca47520

C:\Users\Admin\AppData\Local\Temp\FaIkcMUI.bat

MD5 1d942288c0394a83459dd735ea405d69
SHA1 1e2e3351180809efff9e4632a2313b24320b7932
SHA256 f0bb871fa40c1e96d5f90cb0026e28793badde84730e3788854a3543525cf896
SHA512 9515569b7ce8b022c45e52fd33046e1162c1ca2c2c84da2e5266c09d46cf299999a5211f7a3f41dbf70664270e68fa4eb98e1735a7cdfc4e43dcd7b6733a8c3b

C:\Users\Admin\AppData\Local\Temp\IoYG.exe

MD5 6047ee49e113a1714c09f6baff10f028
SHA1 89f1658d4b9ae4223a9ab3f1dd5c667e4b133fae
SHA256 2eca1ecd9c4ad7dac4213cb36cfbed077d8d06bdeae8b28f9d88479fc2172eb0
SHA512 963ad3e46f4a74cb67f87570bbe60a8613c5ec5e5349b4f54f56061adaa8f57c9ed801e75e56eb495833fae7fb610dec6d8f9a52b09da5577b476c16bb335920

C:\Users\Admin\AppData\Local\Temp\EEAG.exe

MD5 23794682140cff7f240ca66cc61c4c98
SHA1 929f676f936046a92125734e15d93294b883e767
SHA256 28b7f24614ae2dcb3787b067d3a01a69d4cb11ea59955d3350d0c20032135529
SHA512 96b71d30e0b544d700ce4396ae71825a15b05636d1864087b75dadbb4fca49cc6fbd3ee8a3ca393ff39b2dc8dd58555caecb59d61e7eb6d1553484a571d70e23

C:\Users\Admin\AppData\Local\Temp\QscA.exe

MD5 1c8cdfbd7471cc344b5d697afaab4703
SHA1 7023a7b2dfc9beed49b26575b3917c7ea0a5d89b
SHA256 797fb3626f350158ce11591ba24fd75647724a719fa2a80cf0da1a46900c3df0
SHA512 ce5b642acfe309b7b82b7031c49c2f30d8bb06ef4747f6a9c96e3999bf2afa55b3821c7895022b9f25f917dce0e6e7c3daa7e1ef19ff69101595876390e60aea

C:\Users\Admin\AppData\Local\Temp\mUom.exe

MD5 92707314e6dd85424a74ea3c7710899b
SHA1 3821012405b368292d73c008e18888a862e6f3da
SHA256 7b77b3d0f9279dbf282fbaff7b5d7cc08e88196084b796b3b5ac99db66decd6a
SHA512 466b668fd919f14492016e24884116ca9e2c12fafeac6d8d1c062bf274a49aae212813e16d889905edb49d235639898cf7b1e506c27ffc385e7d235920de329e

C:\Users\Admin\AppData\Local\Temp\IQEq.exe

MD5 cfa715f4a6b7693bfc09098e42c5aeff
SHA1 2aeb2a2684d0fee43ceda445b15aaedaaa6c7825
SHA256 2a5df01c27f004b902191eff38fe72e126153f56a8326f7e74c324c6833579b2
SHA512 5a26f46236c18ffc73bdc80418b1d60c6bf4a56b938204c1b611eccba7d66d6da91987255ea43e10de8fce9b5254261fc3d9acf8ba3572da05760222f74fc460

C:\Users\Admin\AppData\Local\Temp\Eosu.exe

MD5 009b444433e56dd0e37f71c464e381e3
SHA1 3ff5576917cdac076fdecb99184f81094a17638d
SHA256 a6af795938b96b35688317091b1e0ae629bce2d1e0c62823da09d8a36cce6b0f
SHA512 af6f95d2113b82bd7206727c17cd375486656b831a364a8d9e7bce24fb2de9866d7aaeed3fe12bf47b7f10c00b8892564701ded61f9df7574fafab4c65342e8d

C:\Users\Admin\AppData\Local\Temp\QMsy.exe

MD5 f7ef32c59d5d46e1938e59aed4547c13
SHA1 a8d615106ee6b78071db7c8a54a047d269f92770
SHA256 2400d8808f869adc3664bfdabba7e0d5ac08ccfb4aea74633838c9ab335b3e60
SHA512 3159f2a59e185b461bc2b25b1b9d90fb544e77f8360c9b352a76468d4bda566a13b76f09662824946f08071cfb5092d26c7ea83c3a072cf2bc0ee2c6fe6052f7

C:\Users\Admin\AppData\Local\Temp\YoQu.exe

MD5 bc25f433a8a288d8572f97f21f4a86e8
SHA1 fd3a89269cd039fb5fdb9744d04494882fbaa932
SHA256 986c41c3644d2e8ede590c6b023688de389a965bb462d0d7bab179eb431e7800
SHA512 087ac66ac2883fcebf6be0c0d48b32816149746902564945ebcab119ddf94c9d117fa257a1086537ee76f8892521b69a1c1124ac3fa40e2afa833105bac36089

C:\Users\Admin\AppData\Local\Temp\cEcQ.exe

MD5 a59ea7a632539c3ab7b67b8eb292df83
SHA1 9463a0ad51f07e98028967dd00a523d8259e7efe
SHA256 7dea0e75c8eb6962e9826029f5f522677b407ceccbfd6211da9c5a7a1d34753a
SHA512 e60c46de5c6c5b0ed49afa062d8ddeade3db9e8a2a788242176000c601025a73f4cea26dda750b4007d43daa99694c947f95507dbf2a338f54efb3f33d65fd52

C:\Users\Admin\AppData\Local\Temp\gcsE.exe

MD5 eb6b6bbea08980efb7f0837f320cfb29
SHA1 bb59e0f7b3bcb1cd2a711b19bfb5c4b3b8f6419a
SHA256 25cfc7589cf15d7520342668b133fcab6a651fd73ec22d107795ff15d2733817
SHA512 f0481b1dd4af9ce3bba859fe134e1d8a5efa3b3a557ee66a9fa1444debdde981ede6fd9397d4365a1b8f0b04432062502bcb47209812fcdc6ac342bf87d9db83

C:\Users\Admin\AppData\Local\Temp\gAQs.exe

MD5 5f9a2139ed888e3cd459041c76ee725f
SHA1 25846b7b4885297a6628c53589d08dc779510456
SHA256 48c136f03802a0bc71ff6fa5a37c39bb9e0cfe1e845b8ed403c189d0f8b26cd8
SHA512 eec44bcdc882689df1fcef282b4c5a47fa50e7a833cb6ec6f569234c84e893c028be073700e502132de16c0b8a4f5717f66b33253a6f9db1c491cb543189d08c

C:\Users\Admin\AppData\Local\Temp\mAQm.exe

MD5 e668f8d87ee90dc24fc79c6d1fba0d77
SHA1 db6161be6b54f7c8e7cfbf4b44f0f4e2392a4277
SHA256 90adcc4761984e70654d9dadb08eaf21c3dae7d5c7287998309ba4665473b315
SHA512 6f483978b0c8123451169a42c99d079792b29750b9da56a77ce6cdd9b5400af314d8a1b8c1dbdc242cb736c241d094c6aa2c9c87e4e851ac0e35b06cc49a5aaf

C:\Users\Admin\AppData\Local\Temp\OkcW.exe

MD5 1de554022083ff5814e8aba3e64430a4
SHA1 0052da4909172de46bf0f32cf03aeca5d43c537b
SHA256 a254efc40a006611ecf59afb7fa261c8533198fbf4ead15aaec2b4e15dd06620
SHA512 f6d08778233969b4ec2a4f45f957120e88d461dec9ad3086025f84e01068d1609cab3430bdf54a687fce762654073bab348413ed1e55baf554c2909d9dc32c41

C:\Users\Admin\AppData\Local\Temp\kOwwokss.bat

MD5 84fe0d0c4e82cd9c578fd8318e272459
SHA1 f535bfceb7ee4b49f24e3fbc663f8d2db52626b3
SHA256 11eb2242739042530d357dce0c0cc4740ec3c02e23d8affd82bac2ffe22293d7
SHA512 bca924a05a079678f826a57d845d95de20aa35725e2ccba885603128426ab1bc057aaed6197a6b63d953b97a44d7aff1e86c57577a62c8b57ccc6e1780c82146

C:\Users\Admin\AppData\Local\Temp\VqcMAUkk.bat

MD5 6bf5f57dc24e39b9fcb78945b1729ba6
SHA1 15a5e24dea047efb44e6d4323d1292921e1d76ac
SHA256 075f32b34bc8be4e22ff81c63e28e571cc40eeffd147faad7be92173fa1905d0
SHA512 0276510061a25bdfa1b9b166300ad77c65c9bf77a14925094e11fd5add5888afee54c5eaa1282e38140690476adbac3b0ca1081f9741d90e0e11081bf197bbe1

C:\Users\Admin\AppData\Local\Temp\MwUa.exe

MD5 a6812267d1c0f6355942b9d21cd01a65
SHA1 3ccfca7a1c266a5a086fcd9e9dd9498dcfe20169
SHA256 e9ce22813a0eb2031e02f2728ec2b95e0602fee18e58355afdfe505c4e9b42a7
SHA512 1dc7c9119158021bbad34ed3640223b870e88bca178e85c382ca26b318cdd3fd649e761c6268c155675cd49d26dd097669b2bedf48403b5e3e6fd8d7b0dceaee

C:\Users\Admin\AppData\Local\Temp\sMwEEwQU.bat

MD5 6032b78f00c470b6884db45773eb5b3d
SHA1 a0d7234f7affe8f8dbcea1c4e1726f5df6e8c3c2
SHA256 5623d62c2f1cf49bb6712e471b7bea2b0a022fef30f346fbbd6924534e196640
SHA512 597e0d3aad11bc1766e58f6e9190b2e4f085b609203d142706c44cfeeb2dada89cdfd2c4e1b4101a29897de132901b568384b31d2784c77952c0f62d813b356f

C:\Users\Admin\AppData\Local\Temp\eMMK.exe

MD5 5863321cec0daccf41bb0ea91c0594e7
SHA1 524ad638d76d5491d9fc7143003ac99a5fbe1a14
SHA256 6cce8820120f51971029b171f7b03e6db18558cc826e33ee08f241ece3b70571
SHA512 c6d02245594719b1b153a0b0e0a027b18d08a8804c0b5ee57a5a6263ca76fd2eb45e555fb45c43aa629faa482eb455db51e02ce7e5524a591ee11bc973da9e7f

C:\Users\Admin\AppData\Local\Temp\NYoocQgM.bat

MD5 f084a7d938132f505d648a7de1b54dc1
SHA1 69c92ff9983134524ac98a5cabc72206b6738ba9
SHA256 077517abea6421f3bdab0b5ddf6ea1dae4a068c3000248fded39338e6b477cdf
SHA512 d84490d83f7a1ab77317a4bc2aa007fa4922839eb6fec8959b2ad96ba2b71aff95035ec03ffd67c274b1a6e2455256af41c63eb68277e5f91738572a0b31c18f

C:\Users\Admin\AppData\Local\Temp\AEQa.exe

MD5 55ab442d52f9b7818c73a38e85303ad4
SHA1 a0de045db3e7b14f48ef5e81319e497bb90e4eae
SHA256 5ff5f82a07b446a715c90a8515571ec8908853c9f263e2eb3d3395f39e60e1f0
SHA512 e82aacd05dba5410cd130d5d67f7b511c1a8f8c70cf7a7d4a94b6f6e41c8edaeee0046f26afd8a221b781c55d1c70cc45df1ce6eb9c5fe35512ccd2a3eb445a8

C:\Users\Admin\AppData\Local\Temp\esUE.exe

MD5 2587c98ae08c447b9a41f3bb8a27f05d
SHA1 b97926bf547eb1b4afbf4d01f6e4b812f45efcf8
SHA256 699dbdddb04a0ef209e514764eddb8e1b7e2e77589ccf822a86585f802de1c50
SHA512 399c5230094ab8ad19928026698fd76c285511350cb3bcadac63e4922f3d48bf2773dd4feb8f94fe3ef123d5cb59dcb79aec1817bb098d73fcb52bd19d32366f

C:\Users\Admin\AppData\Local\Temp\caEU.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\kkgI.exe

MD5 7382bdfa3bad30455c69137eacd4846c
SHA1 e055b40f2712c80dcb757f96a773a1706794adad
SHA256 0d92b6a0ef92145d40d4859159f293f4127ded02c8e7fb3e3233072f199422b3
SHA512 8385542c4c3a151f87dc0cf4229c6ff93177411401bbfad06fdb0386d0162cca4f3f2e3020d324ef9f081c530201c0e192888e7451a7838cfb3cca89a1379cea

C:\Users\Admin\AppData\Local\Temp\uWYoUAIk.bat

MD5 4ad8f663ad0ef514cfd454dd0b00f283
SHA1 d354f72f94809dc1408f5d5228ff511cc4df90b1
SHA256 861782ebc7863341989656d8c3f8f25c18a0550b8ef83cc9cc91601b24479a6c
SHA512 ebf556e64f4fe3fbe1f9692866298f545b12002a0d8e38c1f7f52f13c807aea376755aa68948e920034e016554c38e69b48c037c7408e4d62d3f752595c95e55

C:\Users\Admin\AppData\Local\Temp\UcUo.exe

MD5 47bcd6f7c0200392886ec29dac24afdf
SHA1 6747102e09bd3dc99dba7fadb810eda1b3733984
SHA256 c5c38e5681bc33af5ad7b4725975ef0b9f6690fc7eb711b5528b174f87cf818b
SHA512 39f91382075246cd7280ac0192b3b8b660a9e712ae9cefe72f6842029fffb8091802618f38f43bdf78e5107685eee7dd895983935ad0e19b17dfdc1072dfa276

C:\Users\Admin\AppData\Local\Temp\woEk.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\vuAkcMEw.bat

MD5 7685306bb174644607724063e6912477
SHA1 d1a6e68124f58960190a799d59b4a2adea8bd2d8
SHA256 21afcbe10c2b3e25904e56cd1e26995a436adc59ee90a1ea43c58590598539a6
SHA512 83349473ecd460aabcd607a1d4a9e5fe46595f724e9c146534abd43a22dbe7cf616959b99e697dc0f422e6b46087523928e9330e139050edb5ff5664b02b3ad4

C:\Users\Admin\AppData\Local\Temp\usQc.exe

MD5 87e34b1899b9c0ad21187ff0e7363e9c
SHA1 cdc953dec73142531ccf1a0c17c39cdac612c290
SHA256 af7170cbf2b8e48ad9998e7b47065e4e8933604c851d0680e2482cb422d266f9
SHA512 733fde2a00ef6b61f79ec8f0ee68d7abcee49cd89317e6d67e8ced429a4d77d5688093989023e8dfcdbed462c63c19f2f73416b9474430e25bf2526c84e49737

C:\Users\Admin\AppData\Local\Temp\OQsu.exe

MD5 c08c9d858be58ea571d0dd1bcdddcfdc
SHA1 b6045c3e7dd0b08e1692791d0ce775f0708933f6
SHA256 4132bed8aba49b8a1b43095be28348b67dfe7184798619d693046c7ee1a63fe1
SHA512 8b474f491c6a3a3f9226e1953d2e3a24a53de95fec7bd52b373c769ac3d1cf7cdd5422385d476343d547103cbb7ffff21bb7a9ab02b214797512b1c436ddebfe

C:\Users\Admin\AppData\Local\Temp\ScgA.exe

MD5 8a070aded1c50f6ea8912d26a28a48c4
SHA1 bb0033c78f6450a2f9b45d1ea2f9927dd896e08e
SHA256 bbbdcb6f8e3bb46fe3281ed3ff8e3685843d015dc9603aea6ac0926a33c10f66
SHA512 5b7ceacec48a1fe65fd3ca4b30fc70d6ca28e222a1522c989c65a3e9adeb705bf9c1e6a857051eee78784e04726a8cee8f1d0011cda15d3a1eb0f23d3087e963

C:\Users\Admin\AppData\Local\Temp\usoa.exe

MD5 c17601fd98273ae2fc65a9657669b366
SHA1 488bcd0f2c89de656c7ab1b2b9901bf1d1f73774
SHA256 1961c9b1c7329d598a4bdfd57d5750d4f8d900f63e8455f2655ab88c6254af8f
SHA512 82d02f5ef6c4a329a89792b680e30a7d72e3f75eb7f96a544bc2ee77e562e6b66e1938fe7f74af14cac69d3a2f6f061253761815ccaf9a2d44402efc7c943e4e

C:\Users\Admin\AppData\Local\Temp\OMAu.exe

MD5 635151b1c66b95ff8aa45c62f7579925
SHA1 7c61e95c3462841542cedff7582135995c014220
SHA256 fc8d192be032ccf8907b024e9d116540f3c1b2486bef72d8856da681ff0f5021
SHA512 e86da076a7fb478a6f4805141755bdb6c8d936ad7b593fd3eebfb76b2cb0df73fad05e1c3a202d8eff9ad455e1c854e1a83dae418fb843dd87fe6f718864f620

C:\Users\Admin\AppData\Local\Temp\EcAk.exe

MD5 f91873e26ecdbfd4159b5cd53d0f3431
SHA1 a26f3aafc88f04bedd7eb97a4fd46c04c1470b88
SHA256 d15dc39cd3c0b02d42413edf31b97d79f1dfa8abe7eb88e50a2424d33d98b68c
SHA512 56524ccc2ce31ff6cbb38381381e28fc2fd5d9f1011ec78613efad5be2aeb05a3b51a564b78727d547eb9290f85412386cbc906c1d44d52c14437485cb01e623

C:\Users\Admin\AppData\Local\Temp\Isck.exe

MD5 d78abe8288af0121a6b2a22fbde6a516
SHA1 fad95f0c3069b715051a8f1a971e5338904e8b9b
SHA256 cb3e4bb69fddf8f2058d4c199f1e6bf306df28c06e2d8b07c9eb6c5780f30aae
SHA512 0cf264a76bd29f0f797d2daba3992f19d7f2f798df07d3e6eefc3b31582dc5cd2a654c8785b4ce6eaaf92214c73fcf1a47a90359dc029e1a69ffc3a6f98a7ea1

C:\Users\Admin\AppData\Local\Temp\IYgE.exe

MD5 740d28ccc2afda976e61b5660fc55f39
SHA1 306a5980daca60a42e100886cd79a5d2e040c8d1
SHA256 36989ed023c424bcb859e27ec4a8ecf1683a3cc23ac6ff455d88ba2573655d86
SHA512 478589ae1449d682eadd514107569610276fa0f6df674de26ed97cf517710d727cc5f0f9cb1e0c578795b4d58e94743cc9092db3fb593c0d921633d387f6726d

C:\Users\Admin\AppData\Local\Temp\ioME.exe

MD5 0a0b944f276ed1ea62b798c7ad9786e8
SHA1 96ac7f5e08d05b01d0e9f3e0a3a5055dbbd1dbe6
SHA256 9c2ef6e2b285538c2e60b373b9d901674ed1bbf1d5babcb33a6b3411c154b977
SHA512 b1642989735e4d4198188bc3cbe3c72d1c44a64a96049e463b05c7579cc1d0a7a88351a6d97a28d48c7e723aec976b81ef3060c198b3d9f04f7fbf371303b915

C:\Users\Admin\AppData\Local\Temp\CAgm.exe

MD5 3ae4c1fcf089cfc963cf10d3d16956db
SHA1 40fb9860df29e688a3bf9a465da6b37c243ce640
SHA256 3b0f6bd9cea3d5a72418a2392c6b1f72a7ca7043c125378deded777926a1c62b
SHA512 ecea24e7ed86894a1b63079f2ed4f2260b8af93ea47b81c144d491caba37899aed782274b7a6a869bc575b6e28d634ba4a6d406dc58d903fa9e76175ab8f497d

C:\Users\Admin\AppData\Local\Temp\qEke.exe

MD5 6abe2ea5665d26642898767e1a7c2ed2
SHA1 a30731d36a6fefde7118265550b64c63114ae1f3
SHA256 2040125a0732327261076527eae314c311a784282576261e139e9b2e794c1f94
SHA512 b3aba62250557d5e4a46afe0850e847306c146d716312a33ab68cc0f7b630c61e1bb4545e2db943a06424f98aa5465557bb872c27592060563150d288b009fde

C:\Users\Admin\AppData\Local\Temp\sYMK.exe

MD5 8ecf65bab9a023f94e98c14856350050
SHA1 041719fe1bf68f17e3c83b1d2a1e862525977690
SHA256 47c99c00ee350b95278d06d94ccf4279619a2a69657e0d24347f7e1b04fa5468
SHA512 e6d1a7c040dad88a3e6a05734aba2b209080043261c3ad92f53f5e725144d02f3514fbbb8944f9a85e7a21867fcd7a79156208afd42b606177c5ef831f1f5ef0

C:\Users\Admin\AppData\Local\Temp\uMMq.exe

MD5 00d5aac228ca3af8701036edbf76ecd8
SHA1 109b0c3e8dc206769f9e200859cea2effc87a40e
SHA256 bc2be998712b5638e76d486065e3a5a683340a889aa56226f5327f8731f1ec49
SHA512 d8c633df070e6ba45a840a6f14d2542d655100ad68edc18ebb1e7056825d563319b2c4b7b5315b69e1fba9ef016ecd14a47314d2499d9aac4d408221370e8747

C:\Users\Admin\AppData\Local\Temp\oEwK.exe

MD5 4611c01dc052956b84c7e5f0b4826882
SHA1 9da7036130fdd781e839ceada0477635d6e01d87
SHA256 dae3fb088771663df89bfd6ab213407bc7b12d605e762df0ea428c1ddc95ba69
SHA512 d8d3aec291c05a39fc15abcb8e0090fd83b2ef4d13ead9ba6e383e439dda1e8a4df7299e44fb2e0be284651a4b755e9aa9e19d591f2be0e2fd52aea55e1fe9b5

C:\Users\Admin\AppData\Local\Temp\sMUG.exe

MD5 c01b725f625936f437127b0666003dc0
SHA1 6f5f0f092c099eb68a97f69cfbb69b553aa52468
SHA256 9c2d67969d229f91f178410efcc26be64bc55984768ebda7ae23a7a63aa67039
SHA512 0551386ca6b05be4d4cd4a3b6170ef32afed0594824ab0e582b8ccd732d2f63ae477a4da1f1573329a12b44d4d7498ddef2ee1998d0848fa7ed6f098a084bad0

C:\Users\Admin\AppData\Local\Temp\KUsy.exe

MD5 c5a1554610a664afd611f185eb22c0a8
SHA1 03a95ada40a40127665e0a6e487451a2dd554641
SHA256 927dd1abae1b8a4335c1a145d6c51aba8c231a8656996b672bb3e1e9300bb5ed
SHA512 c5c27aa8743666221cd58447d6ca53a79ccb0281cc4b7becfb02054c12f754047aaa48f91e05ab3802ffb349da81b1ef84478d6d05ec7bdd6e306b3eb9af6377

C:\Users\Admin\AppData\Local\Temp\WIwm.exe

MD5 c312506e70f1762522aea23479deff26
SHA1 990e3127c7186fca8a2c1fbd411dbe8daf3a5af4
SHA256 4fd5a8509f26902ca8891aeec94049d9425a36ce7467a2cc839cae2c9b7f4358
SHA512 a3bb3a4f1b14f2e9878981737a841e20721a4f5e62a35e5cafd18de95571ab15cf0873babb96178b957d78d768564442874ef77234ae31047d6db87e6982b801

C:\Users\Admin\AppData\Local\Temp\IUgu.exe

MD5 bbbb5c92169ba5750245bdbdcbe6b4fc
SHA1 250232a736a21825e38e1ba3245effeab1e8b079
SHA256 506f58787348a083283edf96e8c56417ac969e69a8327edf4f2c12dc01512045
SHA512 b6412ca0514283870cd8de0ffdb30080ce184d888c756766ee2b360f6bcd15ad2d1253df3717b395561bb28ed1dddd290839767164a5a983aef44cf91fe333ef

C:\Users\Admin\AppData\Local\Temp\vIgYEEME.bat

MD5 d99ba2847dd131c9efbd8f42080f0a83
SHA1 678bf014b62228698248c0152e850f0f5032a469
SHA256 ee1f66a217b50ed0e5e42822b7da7bfae474754b5daf5e6640bb71a0a8756a95
SHA512 1410d504cea470b401b5152f3922e29efda1d95e44d9055dfefe5759f78ff4543c429a88206f516dc6b6e6601289a211be93b99d27fa581278643e4f64dfecc3

C:\Users\Admin\AppData\Local\Temp\UuIQ.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\EEYi.exe

MD5 ee9458be8268b95c2bba5056ed24f8df
SHA1 c956e2920fd030dd1b1bef3a9bea5514d049e3a0
SHA256 9b0093d8c9ef20330708750c168075d9d5a929cae34edeafd0494bc4fc333ef1
SHA512 45c53411867d8e32b6c7afff024afc765f63220d2812964f9f531a6ed7bc646c9a3a6a62d7043cce0b8446de05a929d25d7ef0c8c4486465e3aa3301aaec27ec

C:\Users\Admin\AppData\Local\Temp\ewkg.exe

MD5 323e907bfdf5efb3aa40e9d935036492
SHA1 f7593d7c0d796fdfb70f95c2be2131f1bb45529b
SHA256 c6712df2fc14c31bd21e6653130f02e4e059acb72e7ab0f351caeef7dd5c4322
SHA512 e7879d74449576d1ecfda9421b5993608087eaa7617f3dabe94135a7dffa6befcede8561ad60c16f119c5d11a02824fa7d11806a9c624a7e25457c9dbb592b68

C:\Users\Admin\AppData\Local\Temp\kcQk.exe

MD5 3d01b7b835df6e0608c276a68f1982d4
SHA1 9050c9ccddaa8accc7faaec6ecbdc227a3a515bd
SHA256 edf0a58a916412eaac96a2c0ee1273639e1b521fd37492118ddd0e6080c08b1c
SHA512 9959184320b9f387cf340ed9a49bc5f6d4eadeb965b2db1480f4a941e9a44dedab56517ffee391d0703de0ecd993512b449f882c22a96759d4f883e06748cd6a

C:\Users\Admin\AppData\Local\Temp\hmEAYMEA.bat

MD5 2d693130eee2b7c200a8abafe4961fb4
SHA1 8aa4cfc43fc367e02a22d1b91a1f55fa352a786c
SHA256 7d52084e01d088523e6798571b0e2b5926c7560fc6d8da527d92b0b4c793aa85
SHA512 20b3abe5866bd6ff2cb5b0edc6a91a89b28b3f5a533dbe9670a4733503572829baad6f4d2c8685ff1c8f6168a17714e193c75c7965ceed84e59cad2b3687c5b0

C:\Users\Admin\AppData\Local\Temp\tQMIYQgE.bat

MD5 d12bed7926fcb103521c9135b49ac1e5
SHA1 2f021f8750a8a09e1bbf5f83a2b114e9ddaa008a
SHA256 bb1117ca67d84fb021b23ab20cd8ad6fadc2aa91cca252d605d0a848afd6610d
SHA512 d83da42c2740eb4ec6cbea9f8dff6bd16e2a63974e03e00b6b834a16fe68502a7018ffbf2bac37f46bca5f3c5fbb6e240ca78ff25e909f93f3717765cb4a2007

C:\Users\Admin\AppData\Local\Temp\CUkwUsoY.bat

MD5 bf104166472b866d44f6b3f95a94ff51
SHA1 3f500156e9705d638607813adfad4e300b133901
SHA256 413ee6e16a6b122c1eacf1f792f00144fb6fa6a334b67a3c00e03a0f73c54243
SHA512 6e6e56d64ae7db32440adfd13539a4645cb9e82f1933824c72c1aa57b103711c719960ce2b1c15851477829b53b285592055c04562d5f723514a08ea817f83ea

C:\Users\Admin\AppData\Local\Temp\ueowoAQs.bat

MD5 b121fa9c1a50da6cdad30f1c9871661d
SHA1 e0c576064c7539fe70c0854f6649cc047d936430
SHA256 d09567d577e19d894421fbb010ef7b77bf35c7704625f19ab9e5c9debbc11f5f
SHA512 dab357448c780355710c2c9934431ae3b2439b3f3d9a8ab74a7c543620b4a5aa971f72dfce853f46c0b2f19d523100b4c0c6229f13b86473c6e749a45164fdd4

C:\Users\Admin\AppData\Local\Temp\mYwEIMUc.bat

MD5 653adf85691c5f97b1a8357a7f6c10dc
SHA1 037193f932a2a574b3cd8407b2ff1646e905062a
SHA256 5a9a94944dbd24ff17adfb5a687c6af5cbd25b8561ad0615953052fb81d2d914
SHA512 c1ff7c092c53f1e477b3230dfc4c6565ad7adfe31b6b62e3d5d48e98e2d53e0a836e8b75755fc56d3272c3db894ddebd944af7d5877f9adcdc096190795e3e09

C:\Users\Admin\AppData\Local\Temp\jWQowYQU.bat

MD5 f8a9e7cd3a66451fe480c8280ca4e27a
SHA1 6ad10ea918fc301157c9fd6083a780a50f4dc952
SHA256 76bcc180a20dabdf83296ab69e4d2cf0aebd840f7722ad609bed73959a2bbed2
SHA512 a13cbad00a28dd5baee80067904f2205efa9e39b297cca85113cd0778468758e2abaf57691bd3daf98f295b53c434225ea648f25c71e9f73a313820e6eae79b8

C:\Users\Admin\AppData\Local\Temp\bIcIgIkY.bat

MD5 1b2633cc869f8bd21e9c63e9a200b161
SHA1 27108e9f91ce0e1f90c7567b08826618e510b912
SHA256 7fe92c9b631119547bd1d0f20dd6d98da2a6503319a9666e96649ca9212d2132
SHA512 6c606a79eccbfc5ca2e563716aef8373810c55a1f433ce50610dfdb7a591557992f84c9449f773530570cc596e0f3daaa317d3ba5a39bb39da24f126e5e1e7ed

C:\Users\Admin\AppData\Local\Temp\DsMcYwck.bat

MD5 0ace3d0aa4703a4f50ed09a5032f6740
SHA1 1d3ebf4d96d5924403f992852e5d61f26013025d
SHA256 241cc7d40f2259cd759c0a481a0c80b3e0b5b0742b2babcaef9f3ee49df6e194
SHA512 cab3ef738a156b5abdec5dca79de8cf538326180330d3d62f4e2ea5622b5cfc48154d03be39cf35bc20d292495d8cef1c6ad678d10765403c539530c3bde911f

C:\Users\Admin\AppData\Local\Temp\tuUYYgEU.bat

MD5 75583aca9fde1cd6cd9a4eb6d38c9779
SHA1 2fa5fc3445b047a23b420d0f6e2e9631e8bf884d
SHA256 3bc4372efbbe889bf89c901d94b07ff906f365c0ac4055a310ecf717d9c972b4
SHA512 18fee9a000ebdd5556e5e370271d47e5d93599aae470838b79fb35e78a7e13d267a32af0216ebbdb8cb935852222ee08db76396be327a925cfdf89f4b9f12b93

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 19:11

Reported

2024-10-20 19:14

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (52) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\ciYMcAgA\paoQEkoo.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\nUcEscwc\pcgMMsok.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paoQEkoo.exe = "C:\\Users\\Admin\\ciYMcAgA\\paoQEkoo.exe" C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nqYIAsgg.exe = "C:\\ProgramData\\lYcMEMYk\\nqYIAsgg.exe" C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paoQEkoo.exe = "C:\\Users\\Admin\\ciYMcAgA\\paoQEkoo.exe" C:\Users\Admin\ciYMcAgA\paoQEkoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nqYIAsgg.exe = "C:\\ProgramData\\lYcMEMYk\\nqYIAsgg.exe" C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nqYIAsgg.exe = "C:\\ProgramData\\lYcMEMYk\\nqYIAsgg.exe" C:\ProgramData\nUcEscwc\pcgMMsok.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\sheSwitchNew.mp3 C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
File opened for modification C:\Windows\SysWOW64\sheInitializeLock.docx C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
File opened for modification C:\Windows\SysWOW64\shePingUnblock.png C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
File opened for modification C:\Windows\SysWOW64\sheReceiveConvertTo.xlsx C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
File opened for modification C:\Windows\SysWOW64\sheSendRename.wma C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\ciYMcAgA C:\ProgramData\nUcEscwc\pcgMMsok.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\ciYMcAgA\paoQEkoo C:\ProgramData\nUcEscwc\pcgMMsok.exe N/A
File opened for modification C:\Windows\SysWOW64\sheJoinOptimize.docx C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A
N/A N/A C:\ProgramData\lYcMEMYk\nqYIAsgg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Users\Admin\ciYMcAgA\paoQEkoo.exe
PID 2224 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Users\Admin\ciYMcAgA\paoQEkoo.exe
PID 2224 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Users\Admin\ciYMcAgA\paoQEkoo.exe
PID 2224 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\ProgramData\lYcMEMYk\nqYIAsgg.exe
PID 2224 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\ProgramData\lYcMEMYk\nqYIAsgg.exe
PID 2224 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\ProgramData\lYcMEMYk\nqYIAsgg.exe
PID 2224 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 2492 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 2492 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 2224 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2224 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2224 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2224 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2224 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2224 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2224 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2224 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2224 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 4588 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 4588 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 4588 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 1540 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 1540 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 4588 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 4588 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 4588 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 4588 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 4588 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 4588 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 4588 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 4588 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 4588 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 4588 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 4588 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 4588 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 1164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3312 wrote to memory of 1164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3312 wrote to memory of 1164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2040 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2040 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2040 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2040 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2040 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2040 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2040 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2040 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2040 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2040 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 4668 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4668 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4668 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 928 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 928 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 928 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1800 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

Processes

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

"C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe"

C:\Users\Admin\ciYMcAgA\paoQEkoo.exe

"C:\Users\Admin\ciYMcAgA\paoQEkoo.exe"

C:\ProgramData\lYcMEMYk\nqYIAsgg.exe

"C:\ProgramData\lYcMEMYk\nqYIAsgg.exe"

C:\ProgramData\nUcEscwc\pcgMMsok.exe

C:\ProgramData\nUcEscwc\pcgMMsok.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIIEUsMc.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgYgMEcs.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQYcEgcI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSYIkgEs.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIcwIoEo.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCMYscQg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeoMIsEI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aokoUkgw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMwoIMgQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BkUUwMEY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qeUEMMUk.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgcokAME.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LokkEIcg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEAMoEoM.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FUIgEgwM.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqIgEsMk.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WsEIQEEI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqMsgEAw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoUUsIsg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oSUEMkoQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmcYIssU.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEAckkcg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWcgQcYc.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCIsUoUk.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCwMccoc.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGckYUgE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAMQcQQI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zogsoscw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsIAMcEs.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuUUEMII.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcQcMUgk.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwskQMYE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYQMIQgg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOYUccYU.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nucoEsow.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQcYQgEY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tooAAIgw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SooEIcQg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiEcMQcs.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAEUYQco.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSokocUA.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKssggEY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIYMUQAk.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAwoAgAc.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCYMwgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kokEsAAs.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quEgAQcw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEooosMk.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMsEoEAU.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWgcYwcE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIAgogUU.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsMUUMMI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OiAoMkEg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qcgcMkcM.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yAYIwIcY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fssgIsIc.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAYIIIYU.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQYIQsYU.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmoUUYwc.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WicMsQYY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoMUwcck.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMkAsoso.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYwscwEA.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSkMgwMM.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAccwgQY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMMwocsg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwMIcAss.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcckoMkI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmAgQcEY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAwcokQE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKccUwQI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKMsEUMs.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv i0vHkg+Sw0Ob+Mog8vLYyg.0.2

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 84.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 172.217.169.46:80 google.com tcp
GB 172.217.169.46:80 google.com tcp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp

Files

memory/2224-0-0x0000000000401000-0x0000000000540000-memory.dmp

C:\Users\Admin\ciYMcAgA\paoQEkoo.exe

MD5 0d1ed035208d5306e2ebf5d65daf0adb
SHA1 2ce5b00bdf3ee2ac1b989659aaa2df5224563601
SHA256 a27f369580c5baff547b1ee4ca1a190d87aa1dc7238677f81664373dde059829
SHA512 d321bb648efcfd36fdda316c0cdd83465e25f8762dbcac0762967b437420186d20a991becd0023d00e54d189bdf39c635fbf7fa51ac8c8d7cc249509f65c024f

memory/4944-6-0x0000000000400000-0x000000000046E000-memory.dmp

C:\ProgramData\lYcMEMYk\nqYIAsgg.exe

MD5 462be620d3dc4e55da20e48eca2e1f7b
SHA1 da592ad30a771a0a51f9c21b1a2d565562b040a3
SHA256 d03158a3b9fe8b97686bfb5eada3942ef4bbdb88a75880e74d4aecb6ccd0809e
SHA512 695fd100f3c770b13460ddac0d3e17198b191b23764ca0d5581022cd1b8125d604751d5cbd012c071c390cf1757284f0ae4be4a07da183da4bb4a3236506e3fc

memory/460-16-0x0000000000400000-0x000000000046F000-memory.dmp

C:\ProgramData\nUcEscwc\pcgMMsok.exe

MD5 3f37aeac435fc1f0f11375077ca9e690
SHA1 365374da941ba12a3c0df1b17584a364f797d84f
SHA256 9191ac8e7b4ef89c540a6f46f0c69bfff157203afa729354938f584d5fb275d9
SHA512 761f8862191ce547714f222ecad618b1b29f7e8b8acb7ecbd83c4f3e092445ae0de7d29cff5cc976ac66045a198b9795726a6bf22d9f263420589d33c5976482

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

MD5 076e3caed758a1c18c91a0e9cae3368f
SHA1 f5f8ad26819a471318d24631fa5055036712a87e
SHA256 954f7d96502b5c5fe2e98a5045bca7f5e9ba11e3dbf92a5c0214a6aa4c7f2208
SHA512 7b8b9adf2dc67871b06fb9094bcd81e8834643cd9af96a0af591c2978bbe2fb7f53ff9b54ae09099aed97db727cd42df4ef02662ef4c6d7cf8023561ddccc7f2

C:\Users\Admin\AppData\Local\Temp\NIIEUsMc.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2224-162-0x0000000000401000-0x0000000000540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aoMw.exe

MD5 e558e30185fe97c5e861a9df501f78a6
SHA1 d92dddd5b79c54f3d97eb2106307a8036d5c5203
SHA256 d5c26da4a8b53c0b5c94d951b7ce69636098a72844d1e31bccf1a5c7741b99d7
SHA512 2b1fd1aa48069cb9a5075d9be26bb920b286c6394ffcad241bec354ed941bd1b46e66cf01ac3c3b7536c5313e1dc4b599cbce71c131b605ed772f3eafb93e816

C:\Users\Admin\AppData\Local\Temp\AAwo.exe

MD5 46001727c9cbf14d40e49f08e43c0b0d
SHA1 392e88636fa608f05ffb5debda8107b234f904b0
SHA256 28aeecfb253857a3f495c09d1fecf34f2637d75820cffc095fd6be017fef69a1
SHA512 39c8ef500638dfa80aacd585b5f5eea418b0d79630279b60f1cc1380b078734818e4c5f6d424e469619a15c101f2fee42cb85ff495d5644cd9d7a6c6567e1952

C:\Users\Admin\AppData\Local\Temp\yEUk.exe

MD5 00f090cac9e0d222bd0acf4cd218db41
SHA1 e1cb76365bdfaa013e9cb5071ca206b8ff01931e
SHA256 034a281cd6d13b27c560773a95e6dbf5762abd84da45d8caa10f71f70cbe95d0
SHA512 9af12cd7b70412d2e5602264b8e8d1431a08b26d00b2b9d8fcfb075556c90827d086e24f40b00beaccea042780ee9dfc82ceb235391e9b0473076283b0879a32

C:\Users\Admin\AppData\Local\Temp\MYIs.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\igQg.exe

MD5 73160ff83f689bb522433f736f131975
SHA1 74458e20d7165df0aabe846599276c0da341b32d
SHA256 3676bfedf390fc8808b3bd6ffd79ec24b4aefa8d7d3a51d151065e1df15f945e
SHA512 59ed23b327f1b4c6b6f50e22bb473af9b6f8529590103b61b30672ae4bea3b015a89115540b818cb544c1bc04fe1d5dd854d72779b340b6c91ee3cb5a81b6c77

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

MD5 9ad7cd4d7df141d916feccb783e4291e
SHA1 391cb013e89d93b9df0f302be89402b489c021a6
SHA256 6827124231b02abe589522e10814a06593aea5ea0a212dd0e2022bbbeeeabf63
SHA512 3e7d474b9588f004f6b7f25b10c8ccd2c4f3b4f048a345a04b691fd85003aab40c2cc2048bed5cdd98f794586c7fcb39f4d944682bb326fb8cac8d6a512e255b

C:\Users\Admin\AppData\Local\Temp\SgYo.exe

MD5 dbb29a281e28521721452c9f8f444686
SHA1 d2a1e32952a770208e2a90ae2828212f87ec1b5e
SHA256 55e889d4c6be6da02430e603bcbc6bcd04b988464391a5eb25e00d17aa211aae
SHA512 296e46119befdf6452a86c87c4cf0b611923d4094f7e76e8c6db029f926a3c73f88e5effa75fdb7ef6690846c9613ef2337389556fb3d60a94151c7de63f33b7

C:\Users\Admin\AppData\Local\Temp\acMI.exe

MD5 363032b3ccf89d044afd3ce6234471f4
SHA1 bf0d462ca5c159920751e6bd08226e064cb6a0e3
SHA256 d2fb31d985f8c22e646f9abc72dac960f4a52868268d09b160dc642f47005a53
SHA512 cd3dcd378a391edeb5ca14df8b315590095bb13375ce9da46b1b1424af88034009b3196c0de1ac20880ca624e1a2bc4a129882fde703224a4dcfc91c35d51879

C:\Users\Admin\AppData\Local\Temp\ecUy.exe

MD5 b422f94769c5fa80b557bf21601549a1
SHA1 7e01fd5d5d24123e0368d222909d049ffb4551e0
SHA256 7333c5a0a61bc787df24ae031342cf75b06b8c51548ec939956d9f80c3184e3c
SHA512 b5f2cf4e550174f2cbbffb880a454835420b171902b4ea856c113d15ce0ff8d835e4a321df4aeb8efe0c9e3faf3e86bbea7689c0e9e6869403ed5937dd634ad0

C:\Users\Admin\AppData\Local\Temp\qUYs.exe

MD5 eb2377515811c51b622c98861664feeb
SHA1 13d761476a282fcd4f4625b97870bc7c765e1c9d
SHA256 60e91e2106c087e4f60a8b568073c492cf68d83d8e2e286de6f3e8324d4c5c1c
SHA512 47397b006d9ccd616ba63127501327a35937bb7b56a9aba338c1f3e6ec617b2ce315ad9ec565816b2920e1d406693e372b53d74e099e5e3401d90d3a323548e7

C:\Users\Admin\AppData\Local\Temp\icUs.exe

MD5 6c118c9e482d8f354db75315ebbb22f9
SHA1 decdedcdfdcff45e5c47f8cca2314e4e3a0b2ee0
SHA256 198d2349b9e06fdb799264d827e7c4c45a9c3acdbe934c2e8fce8a55c5d5ce76
SHA512 ca15509f6a71b3167ca988be543e36588caafee2a1d51a03fed2f7e91149908d58076a9e60368e1003e937939c1e62ce59672dc9af4ec60b60693979a464771e

C:\Users\Admin\AppData\Local\Temp\ScsW.exe

MD5 53c5fd8e12a906384bc079eec7ddc68a
SHA1 6eba71056ed271d596bfcc675d7ffab8e960e5e2
SHA256 63fd7dbb975659befae6201bd3ea3b07bd07f8fb12e980f5b79193404e291093
SHA512 2b37bd2ef2b120c8645fad4ea3ab9e90652f3f84c48e653ec7a12205eb05e275c75610647cd6b7230bf4256c59f24aabfad2871d07b2361516eb4a87a8b5ea56

C:\Users\Admin\AppData\Local\Temp\OUcQ.exe

MD5 a7c5cc3384c901b488290101697e81db
SHA1 d33a65dcf7f2f299133617db1570b2759c616648
SHA256 aac7189e57bf41aafd0d130083df508b1fb49935e8b7e0e7d6ca9b818fea2cb7
SHA512 a0eddd37f0f67478f388d0d93f4ab581264c6df26d624c1a35bea4bedf391abdaa7bfa17a98fc16c7455231350223b53b78e58f7bf5c3fb65efdbba966598f80

C:\Users\Admin\AppData\Local\Temp\ScAM.exe

MD5 9feccd1d5c34fb56aaa31155ebea5b07
SHA1 8de53a98708a1dd2e50c8ca6b9cb60ded3b61973
SHA256 a8f662fa58b9c7491aee20d3e3b2317da4d5c89a57c74e6a684fbfa3ad2d22bb
SHA512 c4e8b3859fc82fcdd78f9b3694464a27b381176317e73bc5ef5bb530d6de2c3c95322a9308a2269279b098ce87e738581166a894933579d121642e7e54d065ba

C:\Users\Admin\AppData\Local\Temp\kYwO.exe

MD5 e2583cef6dc9e792e3ad43956e3a9162
SHA1 3855a202e2821747dc7efe84966c3bf697a925ff
SHA256 5c19e82108309d75ba50dc856d5526de42518d6a35d79a04d2d38935818497ff
SHA512 70552a96fa9ba3347a3e62d45742ba97059473e9471b5b226f3eee7be3790bf4f9bb9a64e9cf9ed829671b8578f612e34cea14e66f0e7f0144d58e6d8521bb94

C:\Users\Admin\AppData\Local\Temp\CgoM.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\sUge.exe

MD5 361d3b5af2967c30488ec2653bcf4f2a
SHA1 94289a3a136fcf33bfaac56159600c325a5c2fb1
SHA256 45bf8973f2c5ba830a2fda1c6d9a479fc4e807fdcf54bbf1f6c864c40d90ed5a
SHA512 f851a19cb9d00ce258f11d0272319c5f8a64f2f6372774a2f1076fa2e5a6c09ffee92f11f276fe7e5796b14ebe1aba74820db2353915b742662a96322e36d9be

C:\Users\Admin\AppData\Local\Temp\QwcQ.exe

MD5 63de447509f58b919488094b736cf271
SHA1 81fc7b35ca1ee74c06e49e527087534a976ea93b
SHA256 f8988dc0cbbac8e41cfee5936d523221615629b8db0e88cb161fa01b20df74f5
SHA512 9606945a88f885faecc2384cb5cc9b21cab91d402f6c31a8d9b312d7c55fe713222b91ea350bf0a134bd5d9e674603de4cdd3e8fc9dc285925ea1636827470a6

C:\Users\Admin\AppData\Local\Temp\iYEU.exe

MD5 40de6cd1880a47e25e236f2f8b41a974
SHA1 9f590f6d583c4949bc5d0f0973198a1f1510d7fc
SHA256 7c7cc3ce09d72f1b22bf538df193ddd500a84a92ba7df05bc61a514c1d6f5549
SHA512 cbfeff021b30a17951e37291e6a774463c1dd84091a8fbe9be44742264b966b299449e6d4b8fd2f571806f3ed0b78515ec54ad4fa0296a8dedb65c83edc79803

C:\Users\Admin\AppData\Local\Temp\usYE.exe

MD5 3734ac4bc31774fae3741f2c74477006
SHA1 2acd969016f051ccc45517d43f6d1b0b4ae69d40
SHA256 65ec172cdb37351abea1b5bb9cf7380cd87f93365a6a1dee97d52d5a5fc481ac
SHA512 de15b8f02a614ca7af3c31672bcd44cb11f82e0a00b0dc4a9717110727f6807b04b2ea6677d6f2c0a99a2b95f73c13e212106822fdcb20268bb5bf2103996eaf

C:\Users\Admin\AppData\Local\Temp\kAAS.exe

MD5 49919650b628b08b8916dccbd704b336
SHA1 de6fcde04c82be933868f0343b33a1d122c3eac8
SHA256 0cd76295015a7b46b5abd82fd884e128dbbebe4b774b013cc95eb91a292ea49f
SHA512 7600c646e48bcd20fdea916d1b72fdea9a28599d778f637aa327996f17eb0bf42c3b013266588258fde4f346f0d1eb5ab9b044801577a6df4899e2d86d549c08

C:\Users\Admin\AppData\Local\Temp\QgIA.exe

MD5 86de0f6e8983b90ff5f684e4f4ab3776
SHA1 f8d11f85ecc6aafcc70c891a16765f7e6e9e513e
SHA256 772a453b2b0a7c1a28d83c87838b55c98cd1dd8221a82f6b624e9f9dbef5d0e9
SHA512 b7898c74d20bde7c6c84da402cb73039ebe0eaa0c1808a68d33ca925796e08b88e63af8ff1512aef23c22ebadd6db6ec63bde5d3c7d51a6bbbd7795e87b24892

C:\Users\Admin\AppData\Local\Temp\QsMI.exe

MD5 fbcf092e681d9e66c60b3b22cdca34c8
SHA1 056a91ad8b6dd2814b05427fc931b7ad85327251
SHA256 45d2654695b67c1bfb3a7de24921fc9e970138cf0e7d91396d0c2b3f905f9313
SHA512 c81e5714f0aad3e682ef9e5db227de8ae731002267e78d855b726abdc58a44fcd2b33185f6d1e2bb9689f62ab3b53da44210af58b454c4b52a23625640ce7b40

memory/4944-502-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QYkW.exe

MD5 d52113f1741eaf89316d152ac1961320
SHA1 3f3bb369e202a72ada87c523ed9453dc9526840e
SHA256 60b1f211bbfd2fb9b34ef1de9e9e1861fa4b3bcc390ad9a6dde1ca14e1ec6d81
SHA512 968adb08ab93dfa92217a4cd4dae511c9a1ec39a2175f64da073cfe45e33f6890056ddb86985f15a651ed2688788c77d068e4e26cf1783a99294375e012d9dea

C:\Users\Admin\AppData\Local\Temp\AkYK.exe

MD5 dc4076e84e29e4c4c6b334658ec95b5e
SHA1 908562f94216f119d3d86cbe55ea87d041d82109
SHA256 d0c7e382ee4ad0c4c6268f43388c7e22affda55b2cd5fb7ab1c8fa31485f87e0
SHA512 f8f14f1239fed5c34c37570443ea921b14124635d5e2f907780e1b641b4abb4927e0358c6aab5a230e2f1f4606fd2252b7b81bad7ba41e6e84c5f2f9ee0fe578

C:\Users\Admin\AppData\Local\Temp\eMoC.exe

MD5 30cc20b104144ed45e74fb81b297b54e
SHA1 06b3a76c2b8bf3b9a98c644e4e78e49e9a231227
SHA256 9bb608198d4b687af81085850694272d24a506bf5517c7174541cd644f5719ae
SHA512 c22dba4dbdabe4aa728f7002abd3794d19321f5372854f12ad46631db520d2c844003a00790dbd7e1725c0f1608048e668a8ff31ee28c49c7834921f965c8975

C:\Users\Admin\AppData\Local\Temp\oskK.exe

MD5 b5846854ddebf74390918937c564c1f8
SHA1 0da89eaed68653c385fed84f7d37d5c69d8cde39
SHA256 50e30b0ec932f6619d8fca0adc511af7f7e163c7e6f05a4876fdd258c200270e
SHA512 871bed70997da4c08bfbbbb108b8bc9759781d9737677495923073d816a31dbe3ad1d2bdf8b084e9598402cf2cbb43c50e5c4a911af6357907d4caade63c7825

C:\Users\Admin\AppData\Local\Temp\OwYq.exe

MD5 d61283eaaad837726714855fe44cbfa0
SHA1 fd30d0c39212431e142b2ef8dbbbb1c09f69c1f3
SHA256 2970a8e543a09c51edfaf8ab868fe0ddb05b238f043540a6250b48338ce5bfd4
SHA512 83b0128d2a795f432009f859e508b67d958614cfe03a33e173b4ee5c82148f68ffab758eb4fd63ef99c704abd65ce9e326674ca7ed52284f768dbaf3af8846f6

C:\Users\Admin\AppData\Local\Temp\AUsg.exe

MD5 cd7e28b2b9461b84f28fa0fddf0f7265
SHA1 df67d6bf47dfb11b64851f24a13d0638bce5c8b7
SHA256 c42168075965adad3ca3716b24acb99dbd828232be0d45f5ee00bd2289f653d4
SHA512 2f34ad4b8ab7fc232a729d13278f9917e2710a75712487e5317215c9b43a2949582a7659a9aa45fd9fe7eef1acdf942b38823a417410ea37acb74731450585d5

C:\Users\Admin\AppData\Local\Temp\cUAi.exe

MD5 6306e674db2e1660b6af829c5d84d4d9
SHA1 8d14c9ce670c4cddb40f21961e42c7430c2fa627
SHA256 dbe4f2a04513dc3cdfe924dd93a68e765f317e904b9cc9e8690fa5dd8236c4e0
SHA512 3c5cf9e966f542042b2b5ecf872d9f811724b3daf6c287bd9e23bcca0a8c9a69cf13c3d2b3bee0540c620a1e0f7b2c29cebe28afe67ff0a38202fcce65c60918

C:\Users\Admin\AppData\Local\Temp\uEkG.exe

MD5 f9caa9f1edd29d206886f253944a7a2d
SHA1 902e83113ae01b61b05e9be7c76c97c7ee69a555
SHA256 168c2321ae7ee0bac195dac6d1e1366372134cb24df7b9e74c02a25647916498
SHA512 4f26ff61f335880e04c1c698018ac67c1e3da67889d6fb28d84fc7e45b10388ad4bb11967b2886473cee30bad0bc1b4a8fca8637bffc1c89760a09aa1abbece5

C:\Users\Admin\AppData\Local\Temp\egku.exe

MD5 3db63ada0bbe29cc8b3be71cf76d183c
SHA1 6e72ee0b63a5e6a3550db918b404f1f37b898357
SHA256 155e3f7d0c859b8b544507a707dbbf4751c93450956296894cedb58e877c6e6b
SHA512 198298413f86ec902c870179f03a1a98ca1800dfac9f7f1c8d29d398cceeb5215527ba4bb663f140c617b68fdedca01a112ceef7ec9ec91c397a7843687f486f

C:\Users\Admin\AppData\Local\Temp\UIMw.exe

MD5 95b0a74cf035bb5a9f7c44efe871c3b0
SHA1 6c1c2c1d82c955a36635b9d9326de3d2e3cb7f1b
SHA256 8d7f63112f58e29d11fcc7080534008b2551fa5440e801eff3ba11801851038c
SHA512 217caddf8abfffad0dedfdbb99980bb08fd8199c90be6117df04e15769f75b58bfb5106c11db1a0d771dd4a1faa9baa3ad928ca60a106921bca14fe4e5eaa37a

C:\Users\Admin\AppData\Local\Temp\gcQY.exe

MD5 a4a60c68160008cbc4fac22c57f0d3df
SHA1 957b9f4f23e637722050e34d0e7e5c042d0b9e74
SHA256 1392140c3bbc5f535914e61d7894585460cb3425c308905c66d383efe3686e9c
SHA512 3a79373bd1aaec4cead120f3bc954e67619935de8b58f26bacd407e1f693d16350b06d92dd95ea4fc44c8792ac7361d0c947b7a81050ddde04c18b3c228e1579

C:\Users\Admin\AppData\Local\Temp\GQMi.exe

MD5 5d3ce5bbd93d35b1f3e2bf279d564cfc
SHA1 4671dbf911368e88047e4143965440eb2a63e16a
SHA256 a634104255e350af07e6730910221523c66641afb0cc49d566162d65caede5f4
SHA512 5ed6e5961bd0e0d89528effb23470c14f1cfd5d5a052378c28477052d226887dacd547b6889695bc04c963666c1a1c6a30742331c00722914943fddd5ed03835

C:\Users\Admin\AppData\Local\Temp\wwAY.exe

MD5 fda72399f2e96403c12e65d6b565026e
SHA1 a8a8928eda1e7e00da5a7cf8dd08163a0a25c336
SHA256 ca6fd0d7de105b40b1cd6eb040ffa94d0a322a58fa13b428b75ea493355e400c
SHA512 6064ecd00827bdd711f25386013a8460260b8bfc8f62955699d52f055bd87261de55e48228ba41d63ee6189680b2d7ead0f93787768022a1e514892bf03c27ed

C:\Users\Admin\AppData\Local\Temp\kAkg.exe

MD5 58bcf85341e86acbec787ec1f7931c64
SHA1 3585ff75a7dcb06da951f00b79bdcfd0b253127b
SHA256 cf54483b5b3b4743e7eeec0325df9ff4a10f296b7237daaf07c52f499f84b217
SHA512 398aa4161545b72e036ed3aa5b087a78a83ab0cd9f7ed2093dc1cf2b4fda0d0097313686446d3979976fa145e80d5c5eed9c48974d1d59f3ee8171a48fe522cf

C:\Users\Admin\AppData\Local\Temp\qIQe.exe

MD5 957eada831d92c2cf2fba80dd04c7373
SHA1 eeb68e0ee9071dfbb3ae8d4b6323040a4a8f29f2
SHA256 d3a2b3020c2f15c8ee0faf84c71ce3b5a63a188f3f70b868aa2f1af662960772
SHA512 a0665da47b4b3c8239539193784de35df8d1cb5d5a8b9bee84e8a8fea92b0ae760e8c07bbaf094c3d864a54873178db395117103eb60423315c88d4984d7f07f

memory/460-758-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aski.exe

MD5 b3a91ae030502024d80fb84f0d61f8dd
SHA1 d521d85a0dce58db6f7ac2302ac86f6a23b8a8b2
SHA256 b62cecf93b2b09774cb0caec1ac399e55ffc07697148954ee2cdf1d8578bc58a
SHA512 c833bc76d1f95479f2ba9994214ad0ae15757e7354d4818f0ae6544fdde3f36fdf4db34566d8eb0b0da92ccfa23752e9adbe27d1d36f1deb93a59c1a1df47754

C:\Users\Admin\AppData\Local\Temp\OMwI.exe

MD5 053ea10fb7b84ed28031268f32c08267
SHA1 e656533156a216b99cbed13e66bb8a67a74833ce
SHA256 e68c363e45013de4ef602196578bd577258fba4f642b742744db7509574fc14e
SHA512 ec647ebadb27fdf117477c48da017cf294263c9d8f259174910cf86e9d628c2f8de89d5aab4e75b34cf72806f68d5a9c93a91a765d0d95ed863550228da468b3

C:\Users\Admin\AppData\Local\Temp\oskQ.exe

MD5 4ac13ca32498fc89b2834ffd81d2a162
SHA1 056b4f2dd675645539d9c6f26fcd209ace59c718
SHA256 db8862dc5630738dd0c1642d3d4f235942f6f42aae7ecf3a86a25b891b31dc2a
SHA512 f588cba0dbf1f5efbf2ad890b549c09eaeb8a8bdf4e1fd7c5ce19424f02ada4df2d648c92b5aaec93079a9be5fb5cb313ce63f9af8b62c8862b41b286160cfe0

C:\Users\Admin\AppData\Local\Temp\oQUA.exe

MD5 3c026496fb36f420096bcbbb50aba84c
SHA1 f523fa09cd0cf855a32f2b4c8b429e9e495941ae
SHA256 662e81d3a0999d3d97ad46c519d6b83d69ef286066a22dc905fac15cdf403e41
SHA512 e349a87003922577236c4002c4eedc2cc0d711c503727ead1b472943dd921667b75120bff697696946a83afa6c0d7be371437bf78bff061d8535fada5dcc7c63

C:\Users\Admin\AppData\Local\Temp\UUgQ.exe

MD5 cd5f38a98ce1ab9c9ad9441fa4ec0776
SHA1 cf57f5eb5d468caf409e6662bffb14b1164ba462
SHA256 bdc7f2072d601390177f683c8f407a7379a7b13654b02e672bbfba06f448d9c6
SHA512 e3bff24ac3a7a55933d6a41136846bb159cda7cfcccb82e94a90d5ea99c49b1b8574d68e54dad6b9bd218505fcb29e1bec72dee2bd4bb0758c3435d9e8d256e2

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe

MD5 03d5c62c2f4d36ff6f52ec117713db1a
SHA1 3d866e75777e250c7ed49b37fa8632a0c6af4891
SHA256 e8396dc65754558a00c24fdb7dfdb93f03ee7b60ef666bc6ba6254d967ee42a0
SHA512 44068c1e3e87cfc316ba269a7ea955e763f7b76f84ce4d727b6a161cec81fc1b30ebd7e15024a25f1d977738aea1d28015c891e4d559d8d7095266e7256de42e

C:\Users\Admin\AppData\Local\Temp\yYEG.exe

MD5 69169fe006ac19119b514cbe15dc92c5
SHA1 a63ec7341280e6e5fc1fb46ac9095f7a1dac8018
SHA256 4a80eaffa7121dd9d0db2001870578931770cb940bc6193dea17250d47cd3e39
SHA512 92666a2eb506146e259852f7d0592f27cafdf7ed3eb9fff8b598a2e9107ed49825f25bf5071b957d39bf1cc56645634d98a57c725fd253f5e1167f4f2021595e

C:\Users\Admin\AppData\Local\Temp\QMcC.exe

MD5 04147039febad388f4a618ef6c554627
SHA1 a2c5ae4240dc989ef0a49f560a50060b95edbd86
SHA256 2ced325cc68aef74b08a0a96ea4ad21e9ced93f9e896862716d870d84a17f14e
SHA512 f7d811ba541871e43bf7f3a28adbbd8020e4c747f3c76b250141e8bb21ecbc111e79b35a40cdd29b6317abf13c2a37793504dae1631f5aabfd1ada3599155653

C:\Users\Admin\AppData\Local\Temp\SgQU.exe

MD5 eb1567a8fe989e809a217f4acc49d9ca
SHA1 0ac8884172c9d170662ed9396ba0a4b8c1215d36
SHA256 fc174ed52a4d45c69c33c25b5d93ca40d9815b62f8b5dfaa912c224f97e44e1b
SHA512 79931c3d793ab2699aae9abcc170394e7affe9df5c6c1a5cd5a4b61e0a52d10e053346071ecfc2140403144c3473d6fb086231491e7b102014109dbbe1d9ee83

C:\Users\Admin\AppData\Local\Temp\KcUg.exe

MD5 f67fd53666923fe27c5734c68447cea9
SHA1 6edbe48e0323afc976ff473ed63d1fbe4acb29c9
SHA256 60634a91031a0e5c568ce0a87a1d45a70b5388c04e415bf6682cc13c7e0cc850
SHA512 46db7ca11d8b6d8607de8f015406c5eead4e0d168e32227b17995fb36da127cc02304b4fc4a138871efb145d28d3fd4a9278e03e410b4433a2fcc7995ccf8fa8

C:\Users\Admin\AppData\Local\Temp\KkEQ.exe

MD5 899067afd246f9ee63356687da5c92da
SHA1 ea926112d6671aef20824f7d5bbfc9e42fa5f8be
SHA256 df018971e26aac6ce00062f40bd70e569d1643af4423b67ca953f25dc814e2a4
SHA512 3b192c8a72ec76f5e2826534ffe572b4ad027cc8e6c5ce00f917e3dc5e438f19edbb08b76e60eb633b0ef68db3e1a6805ccdf23d8f4aeaa29c86c26a08e40102

C:\Users\Admin\AppData\Local\Temp\Kggw.exe

MD5 e5a2db671a22f2fd2ecf70a32619a902
SHA1 1093a120ce20fa0676cb5ba7086de444d20b9a41
SHA256 9471c7b2c0744a3840ce1894c35419a8e3eb7a2832c5a814ca73e055e9d02c96
SHA512 cb30f607b085baa26d83bd61246edd2b2a9601aebec4cecdec88a3e5efbc7d96c141e66ee22c7815190a6fe32ee1415f5c4f7c66470a5de17147d562f456f0b6

C:\Users\Admin\AppData\Local\Temp\mAIe.exe

MD5 23cfbaab71e06ffb302f234efe501905
SHA1 19837191c259e72cea04761e50cc6c7962fe3570
SHA256 1d00c658cca09b699c74e26453a6eeff2627d16c4f134d0a2025ee9027fed766
SHA512 72a69e4d014f0a7333a38ae791079b7f31b167e7fc643b895ee2a220d7bdf4369fe93af8bb2beeb26bef439d717c33e884176716e1806facb8e5c614368bbebd

C:\Users\Admin\AppData\Local\Temp\wsMq.exe

MD5 5c2ec458d6f379355d7ab0ca19618b40
SHA1 02ccdb08ecc3e8c6073c9b707838e8fd64765170
SHA256 e09d9c3c7aba0df617d36c9ded3ba5c46ce21cd8adfb60d6bdeda194dfb4b63b
SHA512 107d90258ce0ef1850f90ae1bf33342a8b2b50e5ea819292f409fcf6f2e74e4e98c8e9eff7e1f96376e88f9a21a2df670958cdf0b54a63087dc0544f9122a2d1

C:\Users\Admin\AppData\Local\Temp\GAoM.exe

MD5 c95af41129428617252d81a030af7949
SHA1 6dd4fa9a4787db13538e3a2530e5c18fc3398f10
SHA256 910598c0d827a572cd869c5f8cec2c31eea24d20022157db1d6307f9f5935142
SHA512 29e8340391deb575e8460cfe6fe2cabd5f1bc16e2fb891a0a0486002eb073fd521cc10b054291a952a5e169e5bb35db397b726993e2a48a2436c3f5582a920b5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

MD5 b178646133ec7bcab2f58051f92abbea
SHA1 27840a35927f10980c1ac24fc1eeea914d7e0358
SHA256 b4370f0d7021bbb1566479b722c13d2fb123bd7c7d47c293f6a524c7944b570b
SHA512 43c0b0b7d63d5ac376797bbe4d1dda574f185c94387e1149c70aac7f320c8e1fdf255a2e5bea54a257984cb5a945f0edd94a983919fa71a380dddb88ca88b73e

C:\Users\Admin\AppData\Local\Temp\igEA.exe

MD5 7939a91c5e0de64c6c32ca119ac9411b
SHA1 67fb6636133021b4fea060131acc9bfbe28a1de6
SHA256 a9b5031b9d3482e690f3a12093fa306e31f7ee31dfbfbc5e8af0cb2d01121896
SHA512 c0e3908e40c885dc63572665f55eaf53412f09204892f8c1c06b49477a7e07c4704c4ba3dc10b95b1b111ee1a3d0bc4c8db5daf76320c49d180dac818f75b29c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

MD5 9aa30c97b83c72f1bfbd4330c274c58a
SHA1 003c8d01d404ec7daca61745de5b313f5daf2ce8
SHA256 63dcc26cc5fb1c84b714e595e68673987f4bc0e671bca4c831f7128e28dae8a6
SHA512 77a6b6c91a4e2c4a3e6bcf750e560bef739fe7f2cdca0844e8e0715574e193be2b6166a61888a60f0ba51293dc7905b1752cc01e7faf6c5fe1460b69c98f7aa5

C:\Users\Admin\AppData\Local\Temp\qUoU.exe

MD5 e56ea8ce1efee843726750dd54d77cd0
SHA1 ecd7005275b1d9942e848fe7d4931f6dae35fa2d
SHA256 d64308870775deddf74b74f9e07ff447be2e32f1358ca172a60fc22950e1bf7d
SHA512 df7b252967620f8ed8d7e1fe71e480e5ba4f93a21d07bacbd94c70228c8ea0250dc07d2bc05eb91b2473c841e53d307bdd3dc852140a41ea77dd6b5b30cadaa0

C:\Users\Admin\AppData\Local\Temp\iYAK.exe

MD5 a6efe7d3c0026dc52f7280c541f3e66c
SHA1 996a55a1443d4d421ce3362db0028adf983cb502
SHA256 d724bd20d87817f9260fee22e2f7ec6f4bf7add48621c98d99a1cd9d58d4aca6
SHA512 508ed5b6c42a0050f058efb1547a5b4cce5ddf65687a0da5b9004005dfcb57d3241dc402830e6b6a4ec0cd8c74d850d57ab42df8b0b203e3f90ec4030bce6b3a

C:\Users\Admin\AppData\Local\Temp\SAYg.exe

MD5 3156077946ce73cbfd76d0e9198ee536
SHA1 b1d097d27c17140ee4c9708735cf1f77766da366
SHA256 cdcf099f5900e0c0b45019700f4ef5dfd122c6447606089741f1d76beb725da4
SHA512 5c43991e3b32d841f74868d40c0991659382c9e120738f35e4947fdf486918fdbb38b01fe31c04085dc592a1a6f186af400d4d863112bdd6c7284670374425f7

C:\Users\Admin\AppData\Local\Temp\cowk.exe

MD5 57624e9643467b48cc5ad1ea577ccbb5
SHA1 d00fe4c37861d80d57eea092b020aa72ed720853
SHA256 4a1cb2886b5a455fec606a4c61cb5c2fb77887c8c5bb8c935cb54ec9cdc4a69d
SHA512 653d41648b111d628218f4b09ac237bdb65a7fece0ac653d40662e8604e1aef4d4d4d3cc662610f649e0bb22e30bcb75303fddc65c1aa7c8b6b3e107e7b70e30

C:\Users\Admin\AppData\Local\Temp\KEsk.exe

MD5 e430f94ff7f85a7a9c4fd224617e1da8
SHA1 f492315b1327151dfca4f0ccbe70d3e8fe9c114b
SHA256 8ff20afac8beee240e22ab01ab31a4147d83ee8f9d6dcf57da1a0d99d0755af0
SHA512 1d95455cff75a9c8312f71b30e905aa8b01bfaae52a249db1e85664bc79cad3d3a72bcbfd92604f60cc0afee1d5f32082ec0938aed6bf35a0e1c54db77145887

C:\Users\Admin\AppData\Local\Temp\ykse.exe

MD5 99720f41904100f6790060be8697e8a6
SHA1 e01e600d120a7e13ac670fdc7113717f465a40c6
SHA256 68fbc08b96b597fada1c717e0fe8550fd8ace2b7beff6eed46c3abbe5ee96701
SHA512 69e91e12676b266bd403539018d45c20a34d9608776e54c032f85375e937e107852478f4f946b8a9dfbba9a9a301747cd045ef41404f467e209fcf7542b65726

C:\Users\Admin\AppData\Local\Temp\iwIs.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\QUMC.exe

MD5 37b9fa3a53f1117c8c48653e586eec02
SHA1 8780a5da28faad08bbaf1a35a2578e23b7667327
SHA256 fc00af0d400287ad670a174a2250e0806700e401c3432a818e3268f621301261
SHA512 0ae5265fbf412872e7585172e1a1a402a4956a644d58aa51b5f0ec4c018d264a0dc217a8a4975b960a32be3b4bff6b1bf9ff5a8f77142d22afa4ad1b0a2dbd02

C:\Users\Admin\AppData\Local\Temp\oIYa.exe

MD5 55780eb141932c834164177626c2f5ae
SHA1 60e006d3b2c60acdb85232c49b5e2a11d3c62aeb
SHA256 8459a08d12aabd4153b81351359d8e38ecf50496f39fb7aedda21af3b019d2e6
SHA512 932e23152a53f7f4848c5934e0dc27164e0be63cc57ff6302b4393797affc346e6c0166a52eae9372ce1a8b6ff51c61a7b281983aeb0630be1288b3e0b97f2ef

C:\Users\Admin\AppData\Local\Temp\iQws.exe

MD5 007869c96a4b2b79c777063f1f7b6ae0
SHA1 5b6dfbf2e11316697eb7bd01e5bfc6b749f030b9
SHA256 6164492a61d37aaf19b2e77df94b9692ed318fe73f952489feaf095782f287ae
SHA512 13fcf69e2bd2012e1561d773e91419f5d7e982fa5c32c110b85d2f5b9e9af42525b56512b22bb6c4200a21871c916c2e168e06cff5084c01adf72e1c3e49b1b3

C:\Users\Admin\AppData\Roaming\DisconnectSuspend.jpeg.exe

MD5 be9dce8ab9284b3aab1219b976f61678
SHA1 c0229d5c088a82082ab2df66a009c8e33e278c14
SHA256 603528bf9c26befc92416b0c8cf4500db7e1d86169afed0fd1b7a99e7fe30171
SHA512 a824846a8ba7e89dde93fbb2d9d6dff43e26c48cd2fbc5c139dedbdf7f3f5a7236171f646ddc2fd4ca23dbb02c0e731dd9061c79aab8f2c62732441f5701b7e8

C:\Users\Admin\AppData\Local\Temp\Osck.exe

MD5 e5ac672b3b5f371975b7105d799c2254
SHA1 a4f093f7d6445968ca24ddc0c98c708500bf2a35
SHA256 7653f33d8286a435480c918477ec97856ea3eeabd983dca2424cee50a030dde9
SHA512 58e30cd4b70f9d2e958e709cd9e6ba04d3f3c821bb9049881bc27d031d607f2cfb670b4803c95f77cb9e0ddf94654ad088c4233716bf9b5db5e17717b0644560

C:\Users\Admin\AppData\Local\Temp\kMYC.exe

MD5 19b52ec2a370bc1161e436d836696ea8
SHA1 5f295977870128c443d05235d86882a70e1683f3
SHA256 0ca5cfbb02cef32ad1e550da37292210602178224fd103898a6a558dfbfa28da
SHA512 8c174cd84710488f080c8018ec7c757ec7dda12c6d3b77dac5b5166f44f1a10dec84ad8ecf4ca615d7f1e0b821640bf96e3e7dd578fdc56e7dd67ead55c718dc

C:\Users\Admin\AppData\Local\Temp\AQcE.exe

MD5 274edd56398aea1182476f97da62b2c4
SHA1 fcef851c49a92790419cb952ebd98ab19b3fd015
SHA256 6f757bf10cfbfd6a5a322459745b098c5e1f17266c44dd6f98eba94977ff7c3c
SHA512 c6a1c062302f258be7ab4b6774cefe75f239438ae45819fe047ca7a247e255d75016f315608fbf3fd5c199826ca476d2d3184e6c2f6fa9c011ece9d3571d73aa

C:\Users\Admin\AppData\Local\Temp\uwgo.exe

MD5 69f769a537451b84fa5398cd6b5a9582
SHA1 af87ee7c14353a7efd1b147b61fa24ab9ccc17ca
SHA256 87af32ccdf2058c0bb370f7d83d66677c09edcb39bfc9d62f4627ba59193925f
SHA512 565e2a34a0fbbf5aaa60f11129b732638689f94b977972e158607face8a3b28ad450d2b0b886bd868be537a4f2a63e74c48a79ac5d364c53fd44e1d4697f8e6f

C:\Users\Admin\AppData\Local\Temp\eQUu.exe

MD5 977eb3b8b41d2f4d7e15b340f2410062
SHA1 5d5f94f65640b4c2f6197b0e15034911a2997e64
SHA256 f63d0113dba2189f102b0c1d0338073e4771cce237e131ef894ab41ae5c5958d
SHA512 5960069c608a20d4835846cc4503a9005e823b7d0f1fa193fa8dea40b393569c982c649ce65a0285f2d3a54b5089c05dad8a98413268c5dafbdc388de4e27158

C:\Users\Admin\AppData\Local\Temp\wwsQ.exe

MD5 a7c57ec7dda7259e0b8f04b2310fb06c
SHA1 4aaffa49053a2b5567fba50333b85911a4fbe6a8
SHA256 cd65cf6a7285120a2201d9ad96a0c8057d757b80e2603ebccbd94e8a8bef0a22
SHA512 a7c39f26d23233806795f03fb298035f5c3939f076cc07de84f0f824f8cc87550cbb59ab94d18497a37653c099191855b7a9fa55b7dcfc238c576327fd338e84