Malware Analysis Report

2025-03-15 08:21

Sample ID 241020-xxx17axcqp
Target 17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7
SHA256 17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

Threat Level: Known bad

The file 17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (63) files with added filename extension

Renames multiple (52) files with added filename extension

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 19:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 19:14

Reported

2024-10-20 19:17

Platform

win7-20240903-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (63) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\ProgramData\jSYwAQcM\SGYUgAog.exe N/A
N/A N/A C:\ProgramData\cCIkYwIo\kEwIoIck.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ESQEoEII.exe = "C:\\Users\\Admin\\WmIEEckk\\ESQEoEII.exe" C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SGYUgAog.exe = "C:\\ProgramData\\jSYwAQcM\\SGYUgAog.exe" C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SGYUgAog.exe = "C:\\ProgramData\\jSYwAQcM\\SGYUgAog.exe" C:\ProgramData\jSYwAQcM\SGYUgAog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SGYUgAog.exe = "C:\\ProgramData\\jSYwAQcM\\SGYUgAog.exe" C:\ProgramData\cCIkYwIo\kEwIoIck.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ESQEoEII.exe = "C:\\Users\\Admin\\WmIEEckk\\ESQEoEII.exe" C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\WmIEEckk C:\ProgramData\cCIkYwIo\kEwIoIck.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\WmIEEckk\ESQEoEII C:\ProgramData\cCIkYwIo\kEwIoIck.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A
N/A N/A C:\Users\Admin\WmIEEckk\ESQEoEII.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Users\Admin\WmIEEckk\ESQEoEII.exe
PID 1708 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Users\Admin\WmIEEckk\ESQEoEII.exe
PID 1708 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Users\Admin\WmIEEckk\ESQEoEII.exe
PID 1708 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Users\Admin\WmIEEckk\ESQEoEII.exe
PID 1708 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\ProgramData\jSYwAQcM\SGYUgAog.exe
PID 1708 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\ProgramData\jSYwAQcM\SGYUgAog.exe
PID 1708 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\ProgramData\jSYwAQcM\SGYUgAog.exe
PID 1708 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\ProgramData\jSYwAQcM\SGYUgAog.exe
PID 1708 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 2764 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 2764 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 2764 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 1708 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1708 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1708 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1708 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1708 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1708 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1708 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1708 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1708 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1708 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1708 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1708 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 1312 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 1312 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 1312 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 2644 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2920 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2920 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2920 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1036 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 2928 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 2928 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 2928 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

Processes

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

"C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe"

C:\Users\Admin\WmIEEckk\ESQEoEII.exe

"C:\Users\Admin\WmIEEckk\ESQEoEII.exe"

C:\ProgramData\jSYwAQcM\SGYUgAog.exe

"C:\ProgramData\jSYwAQcM\SGYUgAog.exe"

C:\ProgramData\cCIkYwIo\kEwIoIck.exe

C:\ProgramData\cCIkYwIo\kEwIoIck.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oSkEUkIo.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qiEcgQkU.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HgcoIQIU.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RissggYI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZicsEAog.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vCEwkckQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\skMsQogo.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WAEsgEcg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sUsMIwsw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgAQcEQk.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LyYwkcEU.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PkcYIEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zkwkogII.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\myAMkAgU.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GeYUAcUo.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wOYIUkQM.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eeYQAAIY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "180898162216307287501570357421808030554-1308072783826788256-338718149561155158"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LqIkoMYg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FUcMkYYA.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1297469681904552880311168727-21084935051663267435-10642643981408483956-1002938749"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jYcgkcAs.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NacoAkAs.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "633759855-38436260516365184721127491223-4485869391696166721-4968637721635794973"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20386069122063567023-1722165654-2034899463699145653-1113455746-18434461871657199433"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cMwIEgwI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ckAQksUQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-326971279-1677588634-2139305612-1785819148-15565513571058572704-809049793-81645729"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AMMUAIAA.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xAwMIwcw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VEMokMwM.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vQYkEMgs.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CsIQoEYc.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aKoIMAkI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QuoIEAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PGEsUYcs.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hwcQMkos.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nwQQcUsA.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ragoUQYk.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wmgoIUkY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KIsYMUkw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1498521216-592424062512843469-1154113777-1186499705-1081803309-316182878-1414418173"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CqQIYksI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xqoAoQcE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TkQwwQEE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-552395210580023556903998238-86520472716957263029393246561873400837-1095060507"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XecUMcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20816850042133281729373135916-1086651452-4844865941230584741-1041324595-1218056790"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jkYMkoQY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EMoEcsEo.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6951392391833217977-1215628574-252530523776437735-3406726602101292164-830660079"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UEIEcUEY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1821133818-911662466-251894937-1656459706-1252650759364172294-1065886497-170803279"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Uqssksow.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "20678597081564835697-1389768266-1812392738378973591-17568348521359594455-2021032254"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-330415234-10733361691176773844-18870214991054938744-10578209611405286956-1525850954"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "822603002-1831601327-1791991688-809094349-2025520602-1839014263-415252244-183401948"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "923405993-12441526472061263646-799897703-375401324-978982217159644134-1946695054"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VeIEAkQc.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "188822899555434525420526321-181270893-7959148471110563452-988174205-2133154822"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vgIcAIcU.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-211576755913951952272049654767-425955650-1582015495-57404282414316396621225455291"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-21860963-1443677048-2821017728290238481688072620-1067456675106816432182447323"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DMwIEUIg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-11325442241375101383-356460529-11169555911026407243-1613426563-22560728534193447"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tsIkwEgc.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oWEkkAQY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1568077152206050753-91554939-1877586801448052457270962897693376769637165367"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kQMUUQUc.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "313192988304056482839434310751806085959502323-19010979231325824012-409638817"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eicYQQoI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-538361999414824367-2120874518-883532854-157865694-5640131631878967619-132423702"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1254336071909829609-456165219-1028463971-10585038081984962922-1988062768810662308"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vQEgQwQc.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-107089230980768684717227128971945435873-1697830479-2735670665686484411380772809"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hssoEQIs.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-820469887292950373-20902351801136801446-7049935742003569668936780509-1517999777"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "8209134391493943999111781701420241502385106551605043235041868201539-1253228244"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-11580734401881184951105595782613622730881316816246250343593-212024911555286844"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1565854333-5307000172398807121636747995129494596-1940778998-9657003271325947336"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iQAcwkAw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-81765283-916292778-549977368-124828734976691941319765720-1242535117-1112734018"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YeAQEsIw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-15175027121577014669107891084516235363722708406461340653893-18541521611272917697"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\syUAIgsM.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "725457372-1003491623-890051925-2133412793-793128242-935165378700723291694928437"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "385331412-373806857-9645698331209671136-2077069365-1679390339-1341525613-89717712"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qKEMIAkE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-337708865-1475103308-916973368-1602012086-457591904124548473210932669942115820349"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jYMEsUUs.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-731719171-486093010-14618047661359900691-216524522-835021915-20139950011899060661"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1764465025-1068187601-16153617451177331798-2109183721843954838200366949-1438512914"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "4726200432126688593745424097-869169501157569208-770187481-1765971548-1877225836"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pEYYskQo.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "56427670218659214571271019525-16585553086605224881441888906-1476493113-1789561153"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DyYkwgAg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pkMsMkog.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-329204254280969058-577279090483265667365999711-19696695431224148704547865156"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2028889764-17592428341076069144-1269280875456856310-4031549271754118131-1683513776"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EOUkwEYk.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1650681591-74273627175167869910937133391921789524-3544348312008330541675132563"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1103505970-643623651-20788445111639203357989180674-127115721-655768030-553646425"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\isAYwMsQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QkcIcQgY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UsgwEAko.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XyQQUwQI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jiIgIMMg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NqoIUMgg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fYIsEoIk.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "542243873-2106714158-839585352-80935157315634909101342281068-810967555-351844076"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KuIsEEUE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1874507903377418963-15469153111087911859-1218467628-236406948-502180874595126904"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13815041401338805925-359732244-19458815331281317629-14353725816385011041541787751"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2073199626-172204799275978785413829679001415716349474134221-676417152-422109033"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-277667972-609023859-131539685-26820169-14136093162134143189-1741532764528975967"

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp

Files

memory/1708-0-0x0000000000401000-0x0000000000540000-memory.dmp

\Users\Admin\WmIEEckk\ESQEoEII.exe

MD5 c0d2bc7f476242d0a8f06cfc6ae614ce
SHA1 2fc9141a71e966d53d9f32bebb60e8fa8ed77780
SHA256 4f27cf7e048304028e0c78a69d770907ba4accb0b841444567e84e239ceb1789
SHA512 458a1d2e773776cbb3b6fc370660f780556066a9766a65a97c40a77d698d1ac1d998a22012ba170f768080dbe9e4eaf4108801ad150bfb0d3af0cd716aaa9962

\ProgramData\jSYwAQcM\SGYUgAog.exe

MD5 8f017dc6e3285252b6ee682da6c89eee
SHA1 95f7070e424b9b58337e51aebb847289cca68d49
SHA256 c5368058277e9b3e6586fd59f252ce958156dde782fb1a2071bd1fcc36dc6801
SHA512 803aa590fe0a865953b546a947253a19e472c1282678cd0f1bce08892067dead74c9fb1a72d9e3353caad685f010f36ab93b3ff170495c6a4e55263f5bd55608

memory/2964-21-0x0000000000400000-0x000000000046F000-memory.dmp

C:\ProgramData\cCIkYwIo\kEwIoIck.exe

MD5 27ad47bf954b67cf64f09aa222a8d4ac
SHA1 1516c698e32ac75f95d9750b8de10aed561dc8d3
SHA256 c967243470abc12cabeebf526d9675acfe873485371e42a0ccbbd44cfda87d2e
SHA512 d79ea82cabc329806b80b5a4cb12c07da4016a5e818e1def6ebc033241d70f6416443cd589cb07f7dc924db920f7167aa4201c8a8f831df58184934f323a1f4d

C:\Users\Admin\AppData\Local\Temp\QioEUMEA.bat

MD5 511d4773c3bedacbd7484876b751dae2
SHA1 59f9c90c5f5feeea5ebb6e655b87dc595c6961b3
SHA256 33704ed38573c5c8fc93c5b3e533031b1dea2039c449d7a0a5ae6a572ee75220
SHA512 1206fac1515c7938e96a63ec29963fddf33b26ee810ded2639540399a50a9b2ea9380c54f31c8e5667ff1691e02967bf47c4ca1b822988b2cb49cad7a02f7645

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

MD5 076e3caed758a1c18c91a0e9cae3368f
SHA1 f5f8ad26819a471318d24631fa5055036712a87e
SHA256 954f7d96502b5c5fe2e98a5045bca7f5e9ba11e3dbf92a5c0214a6aa4c7f2208
SHA512 7b8b9adf2dc67871b06fb9094bcd81e8834643cd9af96a0af591c2978bbe2fb7f53ff9b54ae09099aed97db727cd42df4ef02662ef4c6d7cf8023561ddccc7f2

C:\Users\Admin\AppData\Local\Temp\GMcIUgkw.bat

MD5 881c862c7e6a911663845db5ecac54c5
SHA1 06185ad23a44d868d642198067a12b451e8ad2fa
SHA256 5c39f980820c429c4b774c1e0107f570f2780f287d1aca4f9a6b7cc47f9e3ab2
SHA512 0b9a2e8970e77f38fdb7fa6fadc87608edcd8ab5f8c36dfd08a275a5b760b7559dd4bcd4996b62527d7ab59714d5040c3a1246720d7af34ee07e5f6f3585b2a5

C:\Users\Admin\AppData\Local\Temp\oSkEUkIo.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\AyQogMcw.bat

MD5 380f0473e9ae2478144b8c28b7d06a5a
SHA1 baa890b4691755912843046e225e4b30460d067f
SHA256 731e3e1779b3f565401e81b3134f9c4fdc1dbfdc0a99a615d9cdccc89fd4b2e1
SHA512 d83f00de2fc6bb36188c8d4cc406929076f6840884cd1fb86afc2672aa04147920a23ee0e916846bbcf915b3dd6fe2043d1fa6bc83e562820716e01107bc10a6

C:\Users\Admin\AppData\Local\Temp\ZQkAsoMw.bat

MD5 7244eece6c878122a3c0414167016b18
SHA1 ce6f05bb827c510fa968265c0c2f6a7f21772c02
SHA256 32fa40dae9b59e6083f7251fcb527a0128730db54dcc5d1009e8a51d19a10e2b
SHA512 914cb86529d66f0528c6d1b906710f544c1b4e0088699019af32dd8438861962ddd771d8fc3191b91d127c968adaaadba4c7c98e357002cda9e1254dd95078f3

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\JowoEYsU.bat

MD5 c371ff4bf823eca0980b5c7d24bf6282
SHA1 575c45cba049f4b26b184ac18d84aa2c5b7d1832
SHA256 d1c4c7e00877910f0c10f800a3b909ced765d8ecde4145cd3d5b468da8672427
SHA512 034e79cbee266374d829d8471064278b35205ec2f1aaf7432aabd1828b2cc20ad4a96c854129043570c4f8d43c2d1389543713832ff056fab2ebdb902b580347

C:\Users\Admin\AppData\Local\Temp\HGcYosks.bat

MD5 e46a8cf4ae1b224bcc5abd041e15eef8
SHA1 526b553cd99e70a4fadcb24feb72b8afb7a4a1cf
SHA256 fd0cae31d312d2942ae3876d71c6e2d3083419395fc17e8dd148b7c0b1beaec8
SHA512 c78ca3fe26f900c145b642a39b0b51e34f1cf131a4c9c4be5caff54c4bc3d55620edcbe6c0beaaf86a68a9a9a0937fb4aef7ebfa8787ebf295aebcd70b822519

C:\Users\Admin\AppData\Local\Temp\XakEAAog.bat

MD5 8987d8e05daf8f15333ab9fc58c5dcb7
SHA1 4364ee3784f322b90081fc1f3f8bed576532dac8
SHA256 db09ebeac4938645d5e5c57aa2702f26139b15374397644769224c38aa6a39d5
SHA512 6ac601cb9b135381fda98bb67058f00aec111e15a8dd49bf406a51572e393db3ed73a270c68b902598c0ad161c3551ba2dfb6acbeb9b9e1024958b760d3dcdfe

C:\Users\Admin\AppData\Local\Temp\wGwocIAo.bat

MD5 f92350ad3acf9336c7db6fd637cab4cf
SHA1 44f41543f44d78c01c4445b9f589c2c58f9db77e
SHA256 a5287e0ef68a67a80fa37242bbab02871ca0a195392bfd65017b2e943409afef
SHA512 4b8c2523a9a072ea8c27729ab65499b1e1297ab6e1fa2998b83e5db419743751948b937fd0b4ec00af7a19acfc2c04e459067fbbda8a0f20e9789488f9ea5332

C:\Users\Admin\AppData\Local\Temp\oUoQcwgI.bat

MD5 31a24b06228caa9c195750f59f4f4e29
SHA1 f353f93e0efa30821d576f9a6aa646f0407ce7d8
SHA256 d82a29657c98c6282cb74998bae9252e6356761404daea61742499e5dfdb7906
SHA512 f894725e1bfb79ac1fd2a8ddce35ac72c879de72bf4a9917422e0f7e4aa3d95e0059f61b31349453b6bb5183fc0310ab4e410c127c5d7b4e33feca921f5b8527

C:\Users\Admin\AppData\Local\Temp\WWoogwkA.bat

MD5 840c66d4b99b763d11fb34e4fbabfa29
SHA1 300634ab7306e1f58ce8b9e58c4b8d74709c7b74
SHA256 ad4797fe89fa08c8306fe59d2712104c9b91dadca8255f64839919a9755096f2
SHA512 14fd69610c84dbadfdafbbc3d98207b96a31b961339ff0d3c6507d6b8cb2b95f74a0a8ffeb603369195b91f429b1938825b198d3f5b506f811c65cd9476c860a

C:\Users\Admin\AppData\Local\Temp\MyEQwQgM.bat

MD5 7b5dd5e4c1a68ae4ed2d9812d970dc68
SHA1 1f14096ec2319d791aecfc929344cff7fd3338f0
SHA256 efa4e96de51b386774df31b8ced7d13cd76d796ee989fabb90c961052082f962
SHA512 244910326a6c1c24145873fed0c690800059fb42bbc37fd609eaefccf19ffbf095b828970ea1dc3f67db960f73556627251b98b87413aaf35fdcf67ae9b36a25

C:\Users\Admin\AppData\Local\Temp\xggIkcgM.bat

MD5 57189b34d4cfc46fb350b9d5379b14ea
SHA1 c9a5c724290baa06e1aa4f615954cd4d304bfecd
SHA256 de66c0be07dba5bff3a56c19297882ec25035520e77cd85a88c86220f59c2933
SHA512 b2e01ec1109cf759a863c31d5e3634bed78063a7ba61bb658972f3e02c5795225133742f2f3fc11c3bbffb7cef2117697d7e9b0ba9f7fb067a385178aee39b85

C:\Users\Admin\AppData\Local\Temp\tQsoYYAo.bat

MD5 2404e503ebfbcabd253d4b096516a833
SHA1 30857c4d8933f0bead035cae209449b3f43d91ef
SHA256 86d90504adea1af4e652f676c48d1a910f920074341a8b8619e6b3fb15c64fb1
SHA512 d868a8b20b6068b8f5befd6f30ce30d53b2bfe65681a849e89bccc689a88effe9f8544747652af832d1a2e11c537bffff1b336450625b5fd0114bcf8b150b0f5

C:\Users\Admin\AppData\Local\Temp\PqMoQUEc.bat

MD5 2f63b3fad32a74a586f448830a708b2f
SHA1 8a3b4d55361af900edf1ed12f883728180ae1074
SHA256 fcce4619b48bf6a0e17d0e65495e6fa6ca1d0a25742a49bfa43467f0f753fd03
SHA512 4bb1c4b35e86f3d9f2d605fe2f19cbd6fe876c2c9d55afaffe937a9ace8eed5d0bfc14c3972dbd2bf4bd4c92a320193c7d00ea76a82e6cb1adfbccdcbe01a5a4

C:\Users\Admin\AppData\Local\Temp\qgEUAQIM.bat

MD5 3381009dae06bcdcadf66694e738c7bf
SHA1 b551e57bc24662bf12a21c1e241d6208936a910a
SHA256 59d977c3835e6d15605c78ec83920702d9ad7fcdba5379ad1ef4ffc27afba64d
SHA512 092e553ce803a85b20a68c508fd661c527f2ad8bea89e9280652ae247bf038dde345ed57d158f766f5b492ee0092eabab958f37afa532e2e1a1b279b7926b3af

memory/1708-322-0x0000000000401000-0x0000000000540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OgYwwIoc.bat

MD5 053e66440d2f0741b7cd5ee524e4411b
SHA1 03714471ae0f9a606f157f27d36064aa85e98dcb
SHA256 9eba9ef81695df2ce1e2d1715a93ab4bde5ec1bc6440dba83403111eb5147b53
SHA512 cc6701bda038697964fa4413970a5fbd34445dbea725e1380a54112dd7e6c78f3970eab5cc4180f6141a61ad8604b3391da6dab69649ab37820b9d3c2f3d7c34

C:\Users\Admin\AppData\Local\Temp\aMIYMQEQ.bat

MD5 0164f359292fd966c027db5aa88f63d2
SHA1 1533e6b50578e29a9ab64a23ea256fa814a6808a
SHA256 aa60f7af306a2c6d109a0f3df9a30fd51d77aa403c76f5b1bd9b549a1fd696be
SHA512 db23d67e99b790a8e872bbed18d324e968f652a16febccf494cc386d9c0c84e748f7f838c0e833737abd9cd283b3d5df0e187e3078f81ad201ff8ec3b2198c27

C:\Users\Admin\AppData\Local\Temp\TmMoQkEA.bat

MD5 6dc1a0f3dd9308a351eb87fe4a283bd3
SHA1 f71ac156c6c4e65edfe76d4f82867882d2b5a2b5
SHA256 dcb5bedfb9d63883392e8240150aba5febbaf8f53c0879d613baab96766f1396
SHA512 81d20f69bb0152efb5db4b296916af4616eda686d1fb87ea884de9f68c7f029b6df301866e6c4d4eecdf6206def0ea544f146455832abb1cd827731345a61f02

C:\Users\Admin\AppData\Local\Temp\POEYIcwU.bat

MD5 390d0f07405ad674c1a6625d43185386
SHA1 27dbadaf65fe734eea529140dbe6dd5c83543890
SHA256 d51ddbdb84e2421c32d3abcdc77d697f886f4e1945af93c616e26580733028e5
SHA512 2486611bbae730f0298370b58fa9aa27e0a6e96ace7c6882a33921525cf6cac91340f69e65e5c71bb7f4910dda8a0fb4a960b658905bbccffe9f294f507de901

C:\Users\Admin\AppData\Local\Temp\xWAsIIUQ.bat

MD5 44087298a9d747295415caf3e50986a7
SHA1 71bfb59a1d147e8f1d329becd6835fea6210c638
SHA256 5b6dc221c2554456c0a9b5151a9088fb22ef68a0f7e358f5724d4f547911af73
SHA512 9d0135ca03557fb8ba6a59585a55e5aab540647139f0dbd8f0303a3d14c299640db5d4e8dcc3576555966f6fd6b43a842948cc024c7583bbcd65df30b2b8bc13

C:\Users\Admin\AppData\Local\Temp\zGkQMYoc.bat

MD5 ad4c6e22c9fa252f3df08385f3edfe3f
SHA1 7ccd6b7638765735a7ed4662d58fca0e2c18be4c
SHA256 77686b3174e1c5eba08e8c529339d5a3b7ea6f8d80ae264cc761249330d72835
SHA512 58eef6895a91e86de027dc7b3ded2844e4c250cbb8bf1f839d807cdd56c3f078d15e804157f8461db3954916ad75f8dab9197a0662f0788d3735f062fdf0161a

C:\Users\Admin\AppData\Local\Temp\OSIMEwwA.bat

MD5 e1dd4c3499a4fe76fbed1850bcfe0285
SHA1 d23ba69e48aceedfcc0099ab138d9d826c1351db
SHA256 f15746791ae2d81c0a1edcb82a80b5e5740995636c309560d07d66e6b1985358
SHA512 3fda4184b06f47bc9eb3db43daee6067a2f5e9dc65990083dbe2df55f745d93d35472f5af1219edae4b5893fab6e8330128038b9534f9f23b9e007c7e57c6be6

C:\Users\Admin\AppData\Local\Temp\mSYYosUw.bat

MD5 51268625a1ca13b4849b8ae36bf437a7
SHA1 91a77b2443146da4b0832018a6c3a2157390d60d
SHA256 d6c5f59c65277481988b3954fbfe6b724843f233fa6b8c68d2ce9530c356f930
SHA512 5f781a99db46bd233088612eb0e8ae9148c77c127e2dc8c4e6a9a643b0d29a888d7935af5d1e03ad4a5b21fc37300141793d1a532fda40ed0f18e93d612c3fd1

C:\Users\Admin\AppData\Local\Temp\iswYsIkU.bat

MD5 3f8fc293740f7659e6687e0e065518e0
SHA1 0281ddaf2b0935ae7d6d156d386d13f7f426d665
SHA256 47746ef7907067ee8fff05536cd2cabb921cf0568c3d9b33fd21ec881c8e0132
SHA512 1a9ece2c8cc56720006df2daefbd04621329df916cc4c1f67e42efb11317e88102bf97cdd029bd1c0373584c946589b4573edd0676547d1a4818912c3f6bddcf

C:\Users\Admin\AppData\Local\Temp\ZuQkwkgo.bat

MD5 0c34f43d1084e9b2e5396446336bbfd3
SHA1 91f1dcdddf4240873a592dce780df77d3a16871b
SHA256 8e5ccbee664f19a368e8efb7dee5890de1ded80cabe01eb3b447e6ef066745ed
SHA512 8769c9b479c26ecf1be1789c24c9d0691bb0048d64b24e0824892f07b51b89362c085c81100d25333be23ad691a3a23124e6ee0cd0bd1cd9f0d151a4890df1d0

C:\Users\Admin\AppData\Local\Temp\ZuwEwwYM.bat

MD5 1513b58ee6623c4e70225ca2466a2049
SHA1 f8c163c043b888a8d873609e9e940639aea820d0
SHA256 891628c8b9207c7c79f1e5b58158841ca729c619088752ae6cfc1b9e11bbb562
SHA512 77659e6fee647cd90a778149b78645845d076cbd7f079d560e93c5adb3e32ccb2cb1470cebd5b65d65e2f746dc7160193fcd519bf8560567ecad71656428532b

C:\Users\Admin\AppData\Local\Temp\jWAkowME.bat

MD5 48ab859e19361bd238b735f3c30a7c6f
SHA1 e4c015c4d884b161cdf785b6173c834e0df4c37b
SHA256 001f962c164e9cba0b341bd312707611511c49e512958cca90805e516e0a3f16
SHA512 4058d366c68b896b78484b00f5b597e8eb574a4916074deef31fc5d8ddeea2d6a2f0cc32bc6fe3b92a764ec314778edb152b21a0313f663e2c9a391f75bd6eff

C:\Users\Admin\AppData\Local\Temp\wYgsYUkM.bat

MD5 ce5eee9954e0fc0a05af53e4285df8fd
SHA1 762b2e28aefc67e40d021fb1e35e3eb41cd9abd7
SHA256 3b7f1e9c361dabe3f072bf60dadba6a0fe15853f1ce313da478a97a4d22c224d
SHA512 171ca5a3860b42e2f52a1007ed71e1fa2e5b612962e21bd72493ab1c8dbe0b2902f975a5ac888ce960d8bb3a04d6b3e83b4b20ef2fb5a2e977544aad51af7ba6

C:\Users\Admin\AppData\Local\Temp\ueYQsoAM.bat

MD5 4dc174ea4b86a268bd9d5faed3abb6f2
SHA1 b94611d7d91a627a3348f3a403c68d8aebf76791
SHA256 4fe60fefce5b1329c17862c45ed42965e8fa0abf6ecd878d87f9d0d66daedb18
SHA512 ee9ffea1162e32f82948df041369f526fefcd7a583ac83fe8fa468cfdf6bce3f56018bfe9da376da8bd57b61b35fe1ddfcccf511036fe842442f0c1d6445402c

C:\Users\Admin\AppData\Local\Temp\sckYssYc.bat

MD5 b8612eb0b49edb2ab39c44bcc08f4c04
SHA1 636f6454d7f8f479552bff89c9eae8cf29e65c2b
SHA256 554c8ad1045e4927128e28e7931dc75d8987cdc16ecfc13d9223e14f729302d7
SHA512 ab7473f821a4514cfbf07b1b96003f5543cb0b7c1a38a16ce916430bdee0cec4b97e7cee7c293eb5fd0a598bd7524d3d2e903c3e4e523210c378dc87352336e6

C:\Users\Admin\AppData\Local\Temp\dIYoUwQc.bat

MD5 72b7652b7981f8380edc58975f836add
SHA1 1ae3b595f72d38153fd0302c8e1b643765525d12
SHA256 fa8ed95fbb5a88c94b1fc4f370079d06302d090d3664e4659bcf20c877090c90
SHA512 1e6c7dc48ad6eede116ed4c308e36427ecb2aea66ec3592c757609ef3da9ad8ceb74584b338f9ab6dba484a30bf582e62726e81f64f46d114dbc671bddfce4b7

C:\Users\Admin\AppData\Local\Temp\LAsosYcw.bat

MD5 0aa9a46f798fbf6ce21f9bbfac85f07f
SHA1 64a510f2cc5a561ff4fa194bd8a8393f70569624
SHA256 329cc1df5dbe6b288edfd8229bffdaf6a4a7a64f8dc1e7092cccaabbaf4fe49d
SHA512 ffa5fdde143ea40e88c44dc94c300224116af3076fa8ab8d6143330b4757fd2ccc59541d3ed8c60b5a460ce558b4205e16a80b0eafa2a4061e6b67d989b9f337

C:\Users\Admin\AppData\Local\Temp\IUkW.exe

MD5 9274ade3879aac4f0aa2afb2775eb809
SHA1 d93a290e4030070c9ad066e3685ebf3a8092b7da
SHA256 b5efa31cc1a6c7628f8d2b68d50b4cd4e0582c3a8bccad3043e36a1b3f469a92
SHA512 cc0cfbb86431c66e3db39477623d4edbfd1cbbd0a2787ef47461242acfcdaefbe16f725128b4d723163c8645077e982f4e801f9a291f0bed95f9223af60a3692

C:\Users\Admin\AppData\Local\Temp\tckIgIAY.bat

MD5 92beca8d1e52f41cae09724c7e9ad0d6
SHA1 406da16829b73310471dcac917c7553feffd18e3
SHA256 4c955acb1c20feb704272d62cc32680d4da049e4fd2e73274c58ed8092438e93
SHA512 06aeff8bafabbc6b0948cc280af37950290cfd007f7fa773540c70be6e34283f60da809831fa0c0fc5dd2dc27d89b5cf12c2577d369d86f23750ae15027a810f

C:\Users\Admin\AppData\Local\Temp\mIMW.exe

MD5 6af18d58b208caaf321dbaee1c790811
SHA1 65ecf53e7d226a3dd0a39be60d7a244c1de76814
SHA256 12635145adbf503af65ef4e578b0ee1cb5559a257f7fdbb408eb79a801f48ce8
SHA512 1dad9655bc35995301fa35df5822614de052f6e3a2c94f630f86371132a3d2df1c5cde728931e88a1087e38a2edd85f317f130377672465411220bd8a79e3a3f

memory/2964-664-0x0000000000400000-0x000000000046F000-memory.dmp

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 44ecf6b478b3f80a47a77a0618a489a6
SHA1 b07fa94031ba77921a7cd09de040b6718d555cbe
SHA256 b70f5bd16c32b80970c7a07d462a8b2f064b4f7d6613ff261c18e47b56141e1e
SHA512 7ab8c0612a782918e3b8c90a2e2e1c966586b68475d5e958117b2dbe8d2de1ce42c38e6a29fbfeb754b530bf0a50c71c2b6756b222fd32f57b244e9eb5c41f33

C:\Users\Admin\AppData\Local\Temp\puAQYkkA.bat

MD5 187c5a6a7b02de8e288517db4bf467e8
SHA1 1a616754b8ba51851490f3b5a35228f490d0983d
SHA256 21e8ed344fc4eda7adb8813f6a62119909e7e3c1387a42862cfc467f1befe556
SHA512 01addaa698fa872e1a8b1b1deb92769ba064082b22ef2963881c0b6ce909011df270a60fba6041ce0c2602758b4c65f6c3fdef94acb34a810d36b7ee08366a30

C:\Users\Admin\AppData\Local\Temp\sQgQ.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\YMIW.exe

MD5 f5e7a0b904dd55102b1775243ccc5754
SHA1 ab6561e38d9fca4bd36fab76d5ab0c3c06bce557
SHA256 534cd63365f086b2e9687c2c72ae3267d140208f7c5a41a73cea5613d76928f6
SHA512 57bba0b8ef3bd74c5e2f1bd75635f4aca0b839d374cb20d53bfff29e50bba86697c01636d35d44d3c3c0a1d85a4e11460d8488dbc2db832a5bd24473b79bffe5

C:\Users\Admin\AppData\Local\Temp\kcYY.exe

MD5 55bbf00185deca71743135b588693d22
SHA1 a2dcf091734911619f54a5c94c509aac05287f8d
SHA256 d6803938fa2bad156b18351a3b86494a49c6b744ede8411b0e714ec0ea0ce1f9
SHA512 36300f746fdf317e05db1e6fa6a73298624bb70dbad764f46488b2309d119d3148d85cdeca403b5587cbe857728224d25cb8a85ef22985f4fcea510de6034fb7

C:\Users\Admin\AppData\Local\Temp\eAUU.exe

MD5 c48ee61dbdc2734613019bfa963987fa
SHA1 d2f33ab5d7f6e0f02e3a08d95b0f94fcac78f0c4
SHA256 a5beb43df2b6bda50730ca059d1e2b1ef1eb6831788be24374561d5578156b92
SHA512 bb258f8216adb840bb27de46dae43578bac56d6ffda70e2aba5975ecb45f6f0131087b87458776a7e0fac5dada68247ad49605257ed770b44e8c931a89f51161

memory/2080-734-0x0000000077160000-0x000000007727F000-memory.dmp

memory/2080-735-0x0000000077280000-0x000000007737A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AMYC.exe

MD5 17f43e7a6f385fd941fa2a4353b25072
SHA1 e9c1d94ab856ca9751bf621fff25b0102bf44352
SHA256 6cf0f3e24da827a7257c68051b4128a3f020223ab7cc9fcdc5ab2989963aab89
SHA512 017059e54d3d2a4d02cdcdc12d8e984948f8edd6e8138bc2e628a7471bc759001b83cebd895fef1dff572542b0a251a4542169c9bb1094ec4f6bdc5af7b7819b

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 79e6f829aa9684b97ee4a3f2138199e0
SHA1 62e26df96c1ded5843b0df4bb13667c6e590bf18
SHA256 01494e3f1b3a4d6dc80a75c0df22169bd3367bc441cb0ce0c15ade22ce233fe8
SHA512 f97c3667b0fbb33b8f6b760cdd2fe9fd73a00a911f910c4e8c700490faa1086e8119d9959f4cc747ad22d1bbdd4b766ee7b095073bd54534743af5ac3f7280c7

C:\Users\Admin\AppData\Local\Temp\cUcIcsIY.bat

MD5 c6ef5b3392a5f4e174fbbe7c058e5b00
SHA1 5488b8a7245418e7243c8616dcf927ef86a914b6
SHA256 544f63354ddeff1eebc89c98995013266a3e2cb8305d11c7c4752bd1f18a1808
SHA512 226a70bbb48c39cb974caa322b457781e7a90d2d5bde7cdda27e4fb1de50d70cfe89f8a1ae77e0e40902abdc38dd2db55db64c3458d3d2d536cd0f83f8291c8b

C:\Users\Admin\AppData\Local\Temp\MkoE.exe

MD5 20c587caf9961fa9366dd37862c2cce3
SHA1 fbd80d01313f40d8477dc6f73d781c1e38fdc807
SHA256 bcda6687300c8481e9723e3b73b25da66f0e9db7be7d0babd943bb356bf72f87
SHA512 73f517f78cfa22fd2a338d48195dc6b54765e272e5dddf23807a505e35f95ae5802c45ddaf143305b80ecec88a2f8a81e11a94354a7104453de359d8c935a642

C:\Users\Admin\AppData\Local\Temp\OwUC.exe

MD5 fc67bcfa69b14ae6af9eb333f1bda0a3
SHA1 1033636f6ecc20546a1adf7430f0747c0a25d435
SHA256 1cd40d50855e76688ef5994b53a26f865009efbd6a8cdbf311adbbb56cd143c9
SHA512 2b03bb8d41a0113daca5ab250f94587f171b7f09399023db7ecf203979dfdc7138fc92a42ad008beb156f866dddf63109fa4715b1d3fd2df18e43ccbf805359e

C:\Users\Admin\AppData\Local\Temp\QkUS.exe

MD5 4b15e5098ba621bdcc0270c1b2bf3818
SHA1 d4f8982101d4b19788eab2737a50ef8e4eb6f9e4
SHA256 9ad3c3cc9aea39b6140a0c8933053841390e359bca036b1321d5109ee431a27f
SHA512 69d60c12fb79465c75a88e0b9f9ed6eb5d5d2a9af65f98dcccd6920c07c778148fd8abeb05fd673a74fcb9d03aaa80bcedb0a250c070690e750aab1f5fc470dd

C:\Users\Admin\AppData\Local\Temp\eIYY.exe

MD5 7dab520d7c0deb184ac62c749e2b61db
SHA1 53e378889cd882d1243f165717743ffdf70ea9b3
SHA256 522e84c4bd7a881bec38a7afd524e7efb7c3de73ab9ce206e73caeac4826a99b
SHA512 d7567bbfbbef248e572d9e021f72973a0ead1ff87a5c5085b3777d6f3cb26d14842cf61040dd1121f199f188eb08bb35802e3be0f9e6b08f0a3646bf69025393

C:\Users\Admin\AppData\Local\Temp\cUQYEMwg.bat

MD5 5edec36663301925527cbea584904dd7
SHA1 9b71045dd3483261699a30de85975f1e77e2cde9
SHA256 992dbc92dc0d943e3a0a404156265be5406a34a7ecf036bde485cf66efb09487
SHA512 544af25dfa5b4c6adb8ecb4dc7ac0ae4730614aa3524dc100a9e46c067050f2be54c2b61247420b6ea061d02b1e95dc3809906d266f150183c21759547811e08

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.exe

MD5 bf8b0f575642a9379cd4b8012be81cdb
SHA1 c44416ddd6c2856652ef26a5243435babb10b088
SHA256 bf2058c078d1e32f0e006d7918493113bc6a6cb9f5e61244f4faad3f352b541c
SHA512 4a9e236c98aba072c02d161af8849e452404c41eb520c1aa41026290e9ddeeea7dff17578e92b4846d5f2277c1dd398ed9b0e8c5a1407a4d8854cae27c92778b

C:\Users\Admin\AppData\Local\Temp\UsQO.exe

MD5 7be7a28ea782da2930e058585c04ceef
SHA1 aa181311b38dade5cb640efa9e95bb156f9d6ff8
SHA256 8143c6e96195ddc9eba684bf8d7990c764913ec7deaecd223b4569e4feb27b7e
SHA512 1ae5e36f05818736409c4a9804e4c4a300352aaf506840d5e6bf9b118f8978a8ce73d8fb20f55caff14a6af55b8a69e4a26381d91adec4e406ef8445b3abf93a

C:\Users\Admin\AppData\Local\Temp\qQYy.exe

MD5 9d43a0f1fd40e6bf83b67c5c434ce9b7
SHA1 87481d966466b8711b8411497769a02283f34cde
SHA256 7024be10aa14acf0212d8deefb4697e37814fe836664f7129aa06826ada7395a
SHA512 0747d2c8b7593c19955b4057dd66645cfadc68845954d4abca27788ff8d7b6c854f21984c06d44a5e56778c78504802503920785c6d5d24ce21876a30df5c0c8

C:\Users\Admin\AppData\Local\Temp\KAsQ.exe

MD5 d1254bbad32cf19fb6d21a1bf3388245
SHA1 6e62b3e43ab4e2e75ff7103067bee9eda7c8e244
SHA256 7c30122a22c918477502ecd50189e93ea7d6112421008bf1f0127227dbfeddf5
SHA512 cb2ae66c2b63791efe1ee491e1fcf33f76c7894c41523f7f3ec7bc18096af796d3cb7552c7fd09a8184c94fd91b3ebc811ed1c381a1974730678363cbc2fe58f

C:\Users\Admin\AppData\Local\Temp\GGQQAUMU.bat

MD5 aca8de6f9a8f277219aa936f0122c4ba
SHA1 f647e54c6c5f4f155bbe08c2fe333359de9a6549
SHA256 d7e320d6ea44b73530e6d9685569d752d832dfb63d0e7ad0bf4477ddc6960b6a
SHA512 97648ec27bc3c4e0ea881003a74b18151fa773a1a81278d982bee9f5c5bddba0a9a9fcff41033bdc9f2860838d43cd005be68338f6be7118c2195ae53fb9ec61

C:\Users\Admin\AppData\Local\Temp\mkMO.exe

MD5 13eb0092547a8e85f1d0b2f23b44cb77
SHA1 10975e60cf445bdc6b1b3db4023592d0512389b8
SHA256 2277e5c46cfd5f450684a7e6a0e0922a62e65a1b0df07e89e946e2503ff5bae6
SHA512 b67ba3407b32af16608c4cd091b9bf3cb418b49c85e7de14fe350e2b39446483895f9ce5ab3409ec64d737ac8b6a292947e796630eb57d36a945a2675c56962d

C:\Users\Admin\AppData\Local\Temp\oMcw.exe

MD5 58dfba1f9475d45f3f514d43185aa24e
SHA1 f90ad7724c37c9a3c90b2251265b3d2f7f54bf63
SHA256 93f43f8d9e87eb1a38bb1aaa34efeb362bfe1297e49fe44e6d450f028f547f3a
SHA512 1aec27cdabbe37732434ad8b5406c423fc8995189b953140ae20f47ec74266cefd5a3e2914d9535575721d53f1382358502299b403e22beda372f8f386375c1c

C:\Users\Admin\AppData\Local\Temp\Mgoa.exe

MD5 a966f772cc377a7d31e4e2aea8199079
SHA1 09b4d8b3b1e683de420477234c713025d73cd6ee
SHA256 0400c23b8109b178761dadecce7ad76394126c01840717d0f44f6d4aa8fb1e4c
SHA512 4896ddf80f40d61d3a33313720ad372f70685ac83126d4454593febc97c5627f3429bbc723df08613dc686e76aa1a472175593df042e6d20b2528a581f7f9367

C:\Users\Admin\AppData\Local\Temp\ccAi.exe

MD5 6501a3b915fd7ef3517c1aac088593fd
SHA1 13e6e53950ea807ea65fc1e2d924c8766e166fcf
SHA256 3504fcbd5acfc1ea0d5ee936c9edcda245fb97a46b766648eba1755eb2bffce1
SHA512 7800c770373a019a451b46dfd217163bd64146ca079945c4bd16cb1f1e228c750db827b2446ce5fd142c4906ce095ddc681e0eb8976b5320720945d1f82d652b

C:\Users\Admin\AppData\Local\Temp\AwAy.exe

MD5 c09e93595e4966e963d3b31be294d471
SHA1 8bb89ede0cfb3a9e92418aa6005dac1630354ee1
SHA256 8eed7ff06e9b321806245097238d530032833515fd0bbf0db3357050418600a4
SHA512 264175702f0192d09e44762529862337026f997de7ba20c2105b5fb5451870e8ff4a0dda517fb3b69601650aa726db1daa2cb7d44e53b0c429004661f86378a8

C:\Users\Admin\AppData\Local\Temp\wYYQ.exe

MD5 fe9312bfe61fc623aabcca7f89153b3b
SHA1 4bbd0541463df4f1c35fab9c20ead26d1ef9f927
SHA256 27c511d62c0cc18ab042b3fba582b5128ff9397726116e49f61057d334aeb065
SHA512 9f324fe0e6d1f2e102d6842670efa82e5514804f9d23d6e9780626a532a747b5f4d1252a866356483ef9051ced1b0ed7e67503b8bbb7a33c3d2b7d1cb4c6f4b3

C:\Users\Admin\AppData\Local\Temp\uaQMEggg.bat

MD5 f547c0eeb4b31e03c76865b272376d14
SHA1 f5126d2294c1c05603ecd5c576eb3e8c217f3720
SHA256 60a5bc1862f96074c0080fc0310e0e8ce94e735c987764fec7af6dc43251576b
SHA512 d20716e13610f00b3f5ab3668224a97941fa2d29629129c583dedffffb40b6eca6b1d83c0cdcfbcb2bf8ccb34a8364ff2878fcf614f07ae6ae7e890ed820f151

C:\Users\Admin\AppData\Local\Temp\oYAU.exe

MD5 b32840ca58827ebb544b61d6df1ba90d
SHA1 916f6d49ebdff9da8ac77652a4ed15c18300ca38
SHA256 a61d8145664f1ba9dfde451b47cd09453a29b9679134295ba473ab96a8749994
SHA512 686e1af6b544f8a4459c58593026d2d5a7de95a1b6e8f46c3c84747464eb8914fd76da1d60aee11eb2edb1fd31a2b6aff7ec3fa5bff2a933da9bf43669e23cdb

C:\Users\Admin\AppData\Local\Temp\GcAw.exe

MD5 8e7d01706e7870bf4e77f514e097bb21
SHA1 b0a75fc415ff84d759818e30e6c075fb04baf4bf
SHA256 54f3d2f4182abbc46b0fbded86ebce73a6205fb1e591c9a549acaf055047efd6
SHA512 072e1b25ada06b3175ffd90c2f56e56d4f071455b6c4a768edbff4f65d68c16da8c96ca332e4903a471bd602ee3b4433ce8ff501330660c8f0aaa9bb709ce766

C:\Users\Admin\AppData\Local\Temp\cYEi.exe

MD5 005c2c3a588eadb5db74f980ff78ce7f
SHA1 9188e19b37d2dc42da435dc362b049260a5d49d8
SHA256 c85590bbc9845c039f2bbb358b9ccd4209f75ce45582e38ceb9544261b799db2
SHA512 be411aa7beef7993f2aab7124d9ae2e756009f8f2eff10455a994027abf38527aca01e16dc8484476c6b836ee28fd69cfa1067f4f232ae54ea4af0a4cac9b24f

C:\Users\Admin\AppData\Local\Temp\NescYgkg.bat

MD5 bd313de9917d1ff2bf2d5307cbc60f42
SHA1 c7a28c37c2fa7f68c6ef532304b94fdea0b2ae5f
SHA256 e19acb67b64d44ab6ac4faf30225b479c697465a7e014a7656eb8231a7ce34ab
SHA512 c91c9d062fe1186c25f978789123f5153829d095435b747afc58fa6eca8147ef5916a670ce209ef427e5deac8f42179fc1aac44fe21ee173c949dac2e037eb45

C:\Users\Admin\AppData\Local\Temp\cwUW.exe

MD5 18361bca67828e434d575689eb5c7d61
SHA1 6619bb77b80bf268265664cab86c97954390fe2d
SHA256 450de363df10fdb318b7bed85d5425d6367540645aa1cf7f9c81dcd31c15d536
SHA512 cbd7353f6a381620ba9ceaf626f0bfe6d8b18782e3beb70754efddc42f8817fe9641d9ea3602fffb6f3c46a82e78fc4307dc79e0214bc8836afd03cdae834b99

C:\Users\Admin\AppData\Local\Temp\QIcU.exe

MD5 951a65e0e651f6db5aa6e20fac4c9b39
SHA1 227fc675b36f512582835a07ade4021ce68db9be
SHA256 e856e6e9e5460b2f17fc5abc6a51f7a5ed12b9c9ca9b47cbc83dd68947f8b224
SHA512 14e7098de13732b827d59b2e8c74b8792a494313035e395f17fae352205a2ab4ac146947dc6126b925577bf1c3026c12a5260a23b808e1ed909358fa3959f919

C:\Users\Admin\AppData\Local\Temp\wUAi.exe

MD5 478dc40d16be05026f06bc482e3e9591
SHA1 2b0d241735005d5683aeed76a3fe3d6117c9882e
SHA256 8cdcd60292f8b0dbf5268aabf2f491c97f40c222f628214e1b0995dc3d5d9122
SHA512 0656fc8fd2ec10d4b01b0dba57430a704befe90fab6271597905e742216126c2b317a20aed1ed117ebc56824d4864cccc60503145e394a4e75da17791f419958

C:\Users\Admin\AppData\Local\Temp\uoAw.exe

MD5 10f569937f9cbd2d114a222360132840
SHA1 56240a9fa672a7e45656feb7c0db60b44f65bd0d
SHA256 6e8f3efcda221011eabb7000f2dfd22cca9a2bff7c56f78d5493c43b7154c7ae
SHA512 b9a2b6448512e14806e3066ec80b857b16a3a4d19711205d4c53917e5a0bdf5aa1571d87febf40878be5f38edfac31f406e3989dcd55f98603ef8da9c337e86c

C:\Users\Admin\AppData\Local\Temp\CYwC.exe

MD5 59faf3892aa406bb5dba7006bd097541
SHA1 075ab463da66bdbc3b7488249146029e377a6d38
SHA256 c926542c22d9ed1c8d52b0af67510364e856db21ddb491963f14db2a42bb9e0b
SHA512 604c50534ea5ab008f3f114e799ab346f6d856d1f92473ed44f2b4dc0018e8e4e87b4fce06e4ba845fd7446cb45ec4560d9073ecfa28bc88844e9601d081a9fe

memory/2080-1197-0x0000000077160000-0x000000007727F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qcEg.exe

MD5 b2f2e071db4d71da23775de903982186
SHA1 112a8b2b7f35360208455069dcfda01e75907761
SHA256 4cb64cd7f4881c6572570a85650f48ef650659e799a14b14da3c631cd4449468
SHA512 797d1140f93b028a4d15e3cfdf3e8320fbac697c62d8052c5f1e010859e4cb685234fbe3606ea475ccf29eac6ad2753ae36e944c81c09e24af5e8948d5430131

C:\Users\Admin\AppData\Local\Temp\TIEIMoos.bat

MD5 8c5f4cf45b9231cc8313e1bed089058c
SHA1 aaf075bd83cf5631e27cea5b4fea709f3ae43d16
SHA256 a04d9849ecc5707d72b1f59e01b51b3e37b0d4523bda1f562462d79fd8d6108c
SHA512 2b43e2cd60f40e85c114ee4acbf4f96d79a5e3385e3041170a302167807a9b724c688a88b89ca21b0c219a141cc0c5ff83f1e6e7e6e74d80ba59b6de53f7444b

C:\Users\Admin\AppData\Local\Temp\SEsI.exe

MD5 e17e2cbb049962a25d1598a5bb172ad1
SHA1 bbfe3e3c812e302601b46c114eececff71a32e19
SHA256 17962b23b97d7e9bd2e47de8aaf61371f3ae4ae2a8085e6749d07979d72c635f
SHA512 65e459bf5971d34ad5f5f9869535646b30f77629a45acca1bd8720aeb6c172f71470c63dd2bd4d0acb11a0291a0ac6699e4123b1f4f65eb5415764ea370597d3

C:\Users\Admin\AppData\Local\Temp\sUQk.exe

MD5 b8700c5b0f6f67fabf6cd5d1219411af
SHA1 5cf1b045dda805c74eeadf084014ae0f9a61ea73
SHA256 6182b51a0dff59a7dc634ee4d5424d9a23d7ba0f59d8b980ab4f51dcd67c3302
SHA512 c619c83cff668a6a4bb5cf764051bc1d7983d81d966d7f4f9e77a40a5088a2d02aeb602b92176bd80caafd39bc9aa2da2f49c20583c909cf4f277267684c99bb

C:\Users\Admin\AppData\Local\Temp\OoUM.exe

MD5 dcfe4175669666fd4053d6f79c1df86d
SHA1 2c6406fd94ff1314bcf5414aad10de6c71bbcec3
SHA256 4804595ce1698b102df6b1ae17d723955f6f9625b93a3d5a517f27460b5e8ad5
SHA512 fe063819bfa850abcab40fe397a3e858caa426fbfa52d96c7e1a15fd0ad1da15d8c8cc841f519101a46a8e2c041b0c067a9768fd7debb08cf8f26fd3334bc24b

C:\Users\Admin\AppData\Local\Temp\Sowq.exe

MD5 5a233879d98ca3787d0faf78e3f05ad4
SHA1 5e62bd1f8986ede394a6e65e03c2b3039d6ad0bc
SHA256 a7cb8ae4e9c807fcc7980a163aa65306ff4bffe95eb0dac6a6d8139cacce548c
SHA512 55d5d0ba45b07219ec34204c13063465253dddf837a9074ad6fdacb13f4db0bd7fd486eed6572521f5c4b1b8a3c3dc6fd633a2599919e48e437ddbe8bbddffae

C:\Users\Admin\AppData\Local\Temp\cEAU.exe

MD5 2796eed8655ef5a85ba18f91017e4378
SHA1 eb444779aaa353c5d13bc0457b63882a2510657f
SHA256 14733bc5432d883bb5a64ec50b4f348241eba648c09d35e7cfd182ea0b7de6dd
SHA512 faba5ea0ea078cf45ba2a8c80a81bae8b7c6727d63b10011e371727b346077bdceb8336d7fbb8824c4ba1c8342e7de2ca8ca35813722eefe01f37860efdd730f

C:\Users\Admin\AppData\Local\Temp\iwEs.exe

MD5 f097ad4d4c664dcf2396d6f294517461
SHA1 a958859904222969b07c47c57714ea34fb0c2ddb
SHA256 c6d677f9de5e5a1ae2ddc758abe9e0cbdc05ba85550c5a7a70dc611c097156e2
SHA512 2dcbed7ec21dfd28bb7cbfc97927a08147716d7df8d6df0ac2fa7fa826dad1f7fb635efb1ca2f8383ae1006642804a15cde4abc92fc62cf9a53aeb44d20a5202

C:\Users\Admin\AppData\Local\Temp\EIku.exe

MD5 ad8638f3f7e9a6821613bfeaa355631c
SHA1 9c7c57ddf03efedb1e388233e6c1bf1645389104
SHA256 d48a041793ed8405783f0ec3a92942cc85f6a53b01014015977c53d5ee7a8a29
SHA512 13319480b510b91726c1b212090cc6fe734536e47c18ce96f2a044ef870b2db1a890440818f70113301917e35cae2f58a85cdd2915f7d796d7d1971f888cafea

C:\Users\Admin\AppData\Local\Temp\wAIw.exe

MD5 6f705b6aaf41e56501fa7971b380d325
SHA1 9e91c6ffc46b43b6fb5c533f7a3013695a4f8a6c
SHA256 732a8d284d9c26537eac725b020529d9f7c50ede72831b132da58ab564c4d231
SHA512 8973521089e7eb279d91afda85dcbf114c7db85c194c26885f8f9aeff23ee451be4fe8f82f05f4f41b6155a609909ca42f128166e403752e634486862f9b3995

C:\Users\Admin\AppData\Local\Temp\uYsO.exe

MD5 1b2941680d7d5a6df7759465466f9219
SHA1 d6d08a5b3789a65905a7e3644d6d4fe38dc69223
SHA256 cc1c9b3f64933abdb47e5f0fe6fd1c11e44333287eaedc2f52df49957865d505
SHA512 527564b48bfbc6f67c19c55fcb5159eecced9ae24d81965fb2f46371b08b98e585d72b73591801a5b1b534b4641fea0cf31e68a8594049d75af7c20d15dc14c6

C:\Users\Admin\AppData\Local\Temp\oIQo.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\CUIO.exe

MD5 1aa06aa0bf49ac0bb7911ed1091a1e0a
SHA1 759be68ec89d5746a73c3389444a2b9d9d69f37c
SHA256 f20395f03592b5f2cc30c12dd8db68872961f56cb0c6558181569a17593044fd
SHA512 8b6c22d3d759e86772f504b210b87c5773caf6e038ae7f65b99b43ffdba23b7d302278a58342154cee69bd9e4bd087b6a1d9acf62a975158f5dbf37908fe65d7

C:\Users\Admin\AppData\Local\Temp\UsoQ.exe

MD5 661b648662fdc710ab454373ae8a2a76
SHA1 e6ff9bff0d995a9df2a1da5f97496c402f3a8e50
SHA256 22598ceaf92fb6669c270fdf24b980a118b7f7b8a8982b5dd419710b577c09d5
SHA512 a555ae2603a983ef27da316e9101ad8f8361f7854d8faf16f61285a6ed85e60c94ac46c8f4584afecfa5546705add9d3d9c43bd3e59bd11d232ba7612d0dd2df

C:\Users\Admin\AppData\Local\Temp\cSIIMMQo.bat

MD5 7471aa49e85481919a58ebe3eec94256
SHA1 4a60dfdcb7333a6856f807ea72a90e648bf05573
SHA256 d5733b415eb900052879678e7b37a21048fb991583f848115bf3274ae48ab092
SHA512 d156b8226cfa3c0152431cad2bca2430f2b1bd1fdce1de174e8e48ab25dfc1e38e441d80206545d7d6293eb4d0dfc9ffd6197455f1cac7e78986947c64b57164

C:\Users\Admin\AppData\Local\Temp\MAIs.exe

MD5 77c433f3f925ba9f80dfa8fe194ccb89
SHA1 3b2f4191895a3a490ba1243a6daaa6c9c2fbdd2a
SHA256 eae5a23443e8ada7c2a7ed0e1a4a2c7c2d4004490aa59316b9bf29ebfca53a27
SHA512 a58ae27ae31c1df604d9f785660feaa65e654196aa844f3fab12990f4fa26d414dd84e22e7fc77e7dabdc5c09135ef2da3f4e8ec111805fdde2b337d99709715

C:\Users\Admin\AppData\Local\Temp\YYoa.exe

MD5 f06633ecafcf56da414502e72fb55bcb
SHA1 0d5784395ad71d2bdb6490da4b3fabcf51788525
SHA256 d1139ac50195fe1409be8c2eb32714498ced2efcb1ca3a9f68cea3912104ed2e
SHA512 0444497062edeb69ac4a1cbcff009a4dafa2878590d63e36a2a1a89c2d8be8575c4160bbb668d1ff9e3a506edc43b392dcab622fdb027be49e87fb4d4f93a784

C:\Users\Admin\AppData\Local\Temp\OMkS.exe

MD5 f55e797d0256ef7a3ff1b9ba4a5c8d9a
SHA1 b08421ca1d0358038e71352076a5cec1592f23ff
SHA256 b6f5f33fdb9f617e4ecbb4cb9fd01ac970348d323027c287293517d2f4611799
SHA512 f4f763cb8a891d8d7f15a26a490b36d71b9b3a3498d0d66896bff0b7070d3b6260cb7e2716b5e4d115029ca3ab01fb1e3884f63050894c6ac1630a2192cb064b

C:\Users\Admin\AppData\Local\Temp\sgwU.exe

MD5 b807d075dd03345e0bc80be52d792565
SHA1 a82dc896c5ee027dbd6b497d4894e755616fa6f8
SHA256 842be32df86690c0e1f2c6dfcd7e405cd7fbd1befff9c24842a2bf7d3fb29b5a
SHA512 40783baf752e7364b8d991d0a01c12811311b69fe0e79b0736047794362f8f4e4d2f68fb6675ecafedcd154a9fba7a97b33a12b527045bdc2e8febb9bcfeafc7

C:\Users\Admin\AppData\Local\Temp\yQky.exe

MD5 19d67dc3f132bcc8224d08efe6ff41f8
SHA1 7dabc521f9183a09c4781b3f5ee763711d6e2878
SHA256 6521231351341c5bf9c3db64241eda2d3dfb7e8e4b401419db73d9ce384fed69
SHA512 3c44658add7a9156b5e959b00cfdd72de76232e666928ab1eb3314fd58ca11a5099fdaf50a6c5f174df9aa18babe86b293498f528080d7d1005b3be65a65fc8d

C:\Users\Admin\AppData\Local\Temp\EQMS.exe

MD5 24f06523909c51c3e9626aac6049ae37
SHA1 8eb821c5c086aac988d825bd4b63d8737648b35f
SHA256 ab4721cb54967b5c16151354b94328b963f509faf1f375c1d8b46d2ab32bc784
SHA512 277a326999c7f268d1ff86e0204c2ef60b001dbf0773bebc33947176328430d757198fb2087f83ac78ef4c3300206d53f7e90f7a77a66e3f7a77e746c048b8e6

C:\Users\Admin\AppData\Local\Temp\GuYgYgwE.bat

MD5 f69316d9d470e579889ad9ae10dda2dd
SHA1 f474a33b0dd8c2b3a477a0d3b6170c2f1dfe67fe
SHA256 aca0c9426570ef3e34262b0716fa5406e091d310d1caed70b99c8c0e2ffb724f
SHA512 f2cf3468cc75a74e18ac0ea2f8989db4e5b6a8abe07aa26089f15beb0789d62ce83afdad710da11acd3ae5382bd76d649691a4c9a1f2de16f7084c8b362df4d9

C:\Users\Admin\AppData\Local\Temp\osUu.exe

MD5 986976495aeb07e83a0ad0fb1814f0f5
SHA1 c30c14063c13f91029f00c914b7774b983f6c282
SHA256 d1c46828f390238f65625cfd0bfc0ce3917f60356af33b82221c39e1d76e89aa
SHA512 510c6869b7736eac3020f2e375871d8225ac55e2271ee4865f2972c7670a396eb1ffe0fe999d10bf4d7b48c8348da77f4711efd3c2a3b8083ff0d120b9b24427

C:\Users\Admin\AppData\Local\Temp\SoIE.exe

MD5 7f4284a4c05048c6ff6cb0fafe7cdd91
SHA1 008dcf72817eb1fb31adc4979a501d3ed7286191
SHA256 3faac8a8194e197a8fba025894a45c2a60bc8ae82658609ce780f938396b0e60
SHA512 6a23b5cb09592319de615a8d962cb68e90c33f4cb649ff0e3717ad52a1b1885f85cb9571bd46a8f5d3c07596db9b39fa2c449a27934c72aae3280147710c4e20

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.exe

MD5 8a42066de8989a1003024ca661635f96
SHA1 a4fad4def41a08960f536435022c76dd910c02ca
SHA256 40c5153d0ee31710446b195786ef0bfcc3fb3356491fd48a20173339ff49584c
SHA512 422ee2fc6c6af0802be0fcb7895568c2e4966ba5ae33a9832709fe35136c1d2d80237d4b3c302662268c28597862a8f2451049db94b827452e07136aa3e1edca

C:\Users\Admin\AppData\Local\Temp\Yowc.exe

MD5 91a8eacbe5789a9ab0ad90a2e9041f81
SHA1 90004f1212224cc7e4620652dd7b4dec777e6f19
SHA256 2723b398867b8a5d7183a705182eb744912f06dda3c36fc5ba2d021bad59e97f
SHA512 52f1d16415e1ae64ba9e3158a8b08af1f8a84a58147eb4450505bfbce52c1c0a9063de8f2f2816a8be239f41e5b18d87078acdcac830d08a25ccd473d7dddbe9

C:\Users\Admin\AppData\Local\Temp\wccW.exe

MD5 f7ac7b8b5c54cbe203735097e018d5c9
SHA1 9e6b028a8c018e03b9a9711e888d455be8f5e730
SHA256 91b16a40b8a2ba6974e142298dc4f7810f83491516f6fca9ee5f1351c6ab54b7
SHA512 5fdc7b62622b5ffb4ade9da0e3eb35f925ef10c45e4d2c2ef36aed546168a71123048f553e92d3ee0204ad21d25fc097f5c74ac8cef559d2c6eb18a1f4f36384

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe

MD5 358b2128c246ed7689e0496a7e06a8f3
SHA1 e2a871b390d45878fdbba2830c0c6094c3147386
SHA256 dcba11216ad09954124b72833dcfac68956561cd9d79686dc70f5236739dca77
SHA512 9957411b312bf2ba2e57837fbb44d8dfe03853a5b8a37d55d68f7b576bb7315f5c00579b55f9f753a7c92cd837ddf215b67ef283264d8dc3decadfa745326d26

C:\Users\Admin\AppData\Local\Temp\cEUi.exe

MD5 28436597e9faf5334d093a200a4908f5
SHA1 9f1c5df772f3466e2ccbca05b72bd232b9782f01
SHA256 6f554dd653492a3f4c555507c3d10e4883649354fd42eea9aff258116f33c1ca
SHA512 18608a443f33bee6f62c9ecd0d162e9198bfe7dbea702c28296abaa0c193469fbb0639b7f2a1b9e941d8778380604e58f35dc4ae8ef2393501a1aa89c560d2a9

C:\Users\Admin\AppData\Local\Temp\CEQc.exe

MD5 db786ac2d58e8b7f9f29860603943141
SHA1 c1b10fe318d78aedfc571f0ec6e293faf9039f3c
SHA256 8988a4b9bd822feef344d95b121c1acd5e0e3535137106e721e228d79699efb1
SHA512 1dfdf9c062277485df0d23a57eb515a2ae2f7b1173095caadaa0280fa3e1285aab5656eb3ac289fe83d2abad866b510cf25f1a393934823eb79908791c69dc0f

C:\Users\Admin\AppData\Local\Temp\egos.exe

MD5 b1bc7be479699fb19f90b2488920ea47
SHA1 e6c3580163d9d83b9138ede6be6ab3ab60a6bd54
SHA256 8ab53df2d7efa6a4f0346f0310e6b2e01869d3e3757f10fa65eb8e7ffcf3237b
SHA512 4bb755133ebf57268e5d435d2a36f8c7c989ed64fd8cef0133f4ab0811263f5aafc0963847f1d2f1afb0f6059adc0cac45b270f1e8a4af4fded8d64abfe17b0e

C:\Users\Admin\AppData\Local\Temp\AYww.exe

MD5 c7b35a66e88d275628b70c897224ccc1
SHA1 8af77ae0b1abe37bdb280cc2858ca6bf0f9aa957
SHA256 37600410d534e9f310baf2a1e9bfd7cc8d5af84d2e4da9823ad854b58973466a
SHA512 ab431e130de02ddf174efec3a5fa13e2913391fc3dce4bd6c6d99d894fad7c14bd5960df442f0902f0423af2fbbf1a0098ba4e1f7c5c636baf1906d83339db74

C:\Users\Admin\AppData\Local\Temp\ikoA.exe

MD5 1616d5733ea5b9842f77aa72741513bc
SHA1 a0a03b350bb99708e6e65eb564c5bccc92d012e6
SHA256 2f4542a1be5c9344996c53d98792e24c815958257b36b0baa577ae6d49c72081
SHA512 d7fdbd3c8e251b7f08a589729f43b5ae63b50e404d92b7c81db89ad9ef9b4b13fb735f2962226c1e338810b9b7d8b78e5641721007ea7c6afdc245710d739e99

C:\Users\Admin\AppData\Local\Temp\aEEs.exe

MD5 55d8612dfb73dc5fb1ac6e41d61cf79d
SHA1 dd22a39d387276edab8338da5bfda55a4dbfa424
SHA256 34c3fc3cf644c03dd323e2ae44a513bbb4d5902548af7c863f21593974ca43a0
SHA512 ea71109b4b62163b0ad85762ad48044c73e58c83a0ead32c0d72b4f42751975fbcb5106a518818a4dececf07e8290f8eab847d7f130dd4bc7d0b6610558cd500

C:\Users\Admin\AppData\Local\Temp\YIIa.exe

MD5 5df82d402645cbe46842b92e930fb5c2
SHA1 ea36742b9e171567cf74a229a251cd8829fe2bb9
SHA256 71c246a4e7db0cee89751c6f07913738d758a05228fdfd56ec638db1cc974f9f
SHA512 c0ce0e351b7d548ccb249bda683a016ab6581158fc3f7c9c90b711d4f9ee76aac960a33e9b726982235201a5041ee87404130076a05d4e923af689d363c116c3

C:\Users\Admin\AppData\Local\Temp\YUUi.exe

MD5 580e9da3d23e19a41580eacb53555cd5
SHA1 0a336e76818dc8e2266e7d385fc68c5f9e39d1b8
SHA256 9daa7195f93586d9da0252a61568beb3d63103dde99dac7f9410abeeecc4c71f
SHA512 2a37b028ef9a9397ddcf2525466131a67f115d9c1a7fb200240ed071b2c4032136b1a5bc39e36a4bd17c2a346fdca112241e70378d70fac86746356e16c361e6

C:\Users\Admin\Desktop\EnterWrite.doc.exe

MD5 7dae782f9c3ce20279b92158fc1d198c
SHA1 39463cbee29601539707de7486703ac59e0f6d25
SHA256 eec31a2a41c5b6e3458c9076d71f874b7b0af19c567f6dfaba4b5e57b34242d9
SHA512 7a872a52d629298c7e4c6adb00573b89c1c10fff6af4192e5f09504b0fef1c499d4599452929793d57052dbaa803ef2956eeb29b9d655de27a61eb3bf7108341

C:\Users\Admin\AppData\Local\Temp\tskkUcUw.bat

MD5 b6e81e9ade33a4b7427921dd97c993f7
SHA1 565b26f282f1668b1ca61620373220397283431e
SHA256 36654d2ce9b8beb3de56031b1d3a0f43fe26444b9088f86d555822974affb693
SHA512 00ecee0766fd7a1d7dfede317ae9f66a54e1d0c4f6752a56c33ee95da445348096a8d47bfd9cdde9ca742c6da10e59c291c212adbb1d053472a184222a8e94d9

C:\Users\Admin\AppData\Local\Temp\YQwc.exe

MD5 4f8794977221b3618e2ec58b6d02db67
SHA1 fd5ca3175e08cf188f109ef28b3f5bad220e7454
SHA256 0e93f47714ccd819dbbe1892ba493933e1cff8bc51c67abb4a4f6d98f71a8f53
SHA512 e764e99f6dd70764a778988589d24ec67e0d46a37f6c150273b9e41a06f37709d1a801f20dedcedaef6e822015789838899d0d56a88bc794a0d2441b7dc28e01

C:\Users\Admin\AppData\Local\Temp\ggUc.exe

MD5 ceb77ca521d558b27c70a466ce560922
SHA1 c0b1288e85e7597881099ab372b5b250d75d13bf
SHA256 e993f2302e24389fd4ea4db07bfcd055dab68ab6afebe2421f8deabfaa0a99be
SHA512 6e859ab2214d7507cd08a8d8f0096de205212911dd81aef6053895d7c46d34ebbcf24dac9d942ef51c36ca912bf054ec37b44c2a29b4dc1b1270038434046a74

C:\Users\Admin\AppData\Local\Temp\UWEw.ico

MD5 8e03abdaa3016247fdd755b7130384bc
SHA1 08dd2d9541e1961b06957fe9a19ce83aeff51a5d
SHA256 42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8
SHA512 e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

C:\Users\Admin\AppData\Local\Temp\QQQa.exe

MD5 234c5c510d150c58faaefb91dee9127e
SHA1 160084105fe2d9abb0a3ed7294f06a860f633901
SHA256 aca3107ca02c919b4aa4a257b59016e12388deca669db68ca1902432623252a3
SHA512 313839b2fa18234e60026b4423c1d90b5419db74f8dc5a8de1a954e8c14b4bcdeb0a82d30a906a55cc319e5e65443b7adc0db61c9409cb1abd28cac2be215413

C:\Users\Admin\AppData\Local\Temp\YoUI.exe

MD5 1d8baf83ef5b84f786d14987f5ba5672
SHA1 7b5d209c6cb4fcc770be01435ebb61ac697484d8
SHA256 c4994bd62051e92448441641b67f8fd552eb34b40c109c914b4187910db51eaf
SHA512 de69abcfdbf9292159780b6f4ab67792fa46b9c2bcaee31be0104bb60d0c4132a40acec69aedda23ac7338022e94217953eba06acc5a06be1042e24b4984267a

C:\Users\Admin\AppData\Local\Temp\YIci.exe

MD5 4ce25ccf7b070f56c3887e47bd00eb92
SHA1 aa15a01bcd9addc8aa8b90f69ebe8dc832b8948f
SHA256 771426b589cb416acac91c68e3d512177cc0ed99804d4071737493ac827be6eb
SHA512 5d44fc486c2e184c12e10d049e4aa566e104c62d844b8431e075d0df859b442454e9d0a843c59c6f60671551a0391a52c6108aa7ac31801f1f18d7f413089035

C:\Users\Admin\AppData\Local\Temp\ikUs.exe

MD5 9223af56276ae6b78c20fa6ec1e5f7d5
SHA1 bc60f93cdc6c9d2654a6b9036c1fa55fa2938b79
SHA256 e987eb32d17b6c88112c21093bd164ca8be64aa98564d3d9a3318de4dd165522
SHA512 1580bee0a1a5ee0e3b5658005f02b82a5801ad7ebcc4f433bfef4640736c480e6d75724075df36db0f22e2f4cd4b4a0751e9ce90b2974caafde796fb7080b652

C:\Users\Admin\AppData\Local\Temp\QskK.exe

MD5 b7e20dd260473c542b103fd788a23555
SHA1 d284b19ca2bdac33ad3f6c822851417555336663
SHA256 eb143554a00651d1852b9c65cc75fa3b35cd008df74b0319775ca2370fd62811
SHA512 69488e1878337a650a126c47c7d7c264f193725b27647bb6e8bb90826fbb731043263f121f8b9fc601ee8c7c2ba291b736fceaa2bfa10bea3bdb854b49b4da6a

C:\Users\Admin\AppData\Local\Temp\Mgoo.exe

MD5 4b17ae939558c6962ec827c16b9e552b
SHA1 573f7b78ede1f959598d826014a0160b984c713b
SHA256 d9061a56eb9097e3a7ab5d924c6958b4f65a0e435992c1abe221fe1553b5d019
SHA512 6e570759fbecc3ca3a0a977b29b131febbcf1ac33cada5c7ac340d08f911429d43a0726dd1565d82abcbe7dfe6d74a478c85c51bf7865208d8039a8567ccbd69

C:\Users\Admin\AppData\Local\Temp\wwsw.exe

MD5 56fee9dfbe732e537c16cc8487f2f751
SHA1 0279234ad6d5bb1260f029c431809fea0a5b4f37
SHA256 adce3e4ca9788145fa49a79900a7a88e1d404912f8f31d1394a4b449143baa12
SHA512 456d04e9a595d9a6bfacb729e3ca17f51beca40ac2e87b71dac15780be10a4ab0f1cb4b7d2c05281b011de480faedae3239aa8515adeae2fb38262d6530f2676

C:\Users\Admin\AppData\Local\Temp\gcMm.exe

MD5 6c091ce1abe30ab4c8cd63235646036f
SHA1 22423ae0a319b036c84ad1bc74393838e014cb79
SHA256 4a1436bc98738577a7266bd280916cf829bb7dab49f64b321a8adf92a3776146
SHA512 d9aca0154dbcfa9ef0488f2573a685d9dd6f8864a649a0effd5849049096068c8eb1b9551477f67f609db158f4700134481bab6a6419dd22479de4f78ea80629

C:\Users\Admin\AppData\Local\Temp\iMIsEAEU.bat

MD5 fe5bddf44304e545be670cd20b3fd56d
SHA1 cecd2eded0ac16f365e48cd21f3178c56f980a74
SHA256 5e3bc62d9df1c88f236cefc86900679739d91a2282130de01ea38e3688d576c8
SHA512 d0dc9c12aeb392042bb0ca0b45350f5db6dc053eeb3208bc1e47d23134139c7db345f5bed1330cb08c4bc68bda9987b019e795b3c1c35b9aecbff83d91928fa0

C:\Users\Admin\AppData\Local\Temp\coII.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\WQAg.exe

MD5 a2c2a0d181b4f93f87c5ce5c5aac355f
SHA1 61d8780218108d2d78763bde3366687f5795e378
SHA256 bcd4f51b32ca1152fd975f8be0dd3093fe94c330abf4af3b2923f803f45f11b3
SHA512 836f9e4d9d6f83a794bbb190708c066464c6d21ba4f8de52624748c379c23d4356156ec3e88f10210759fb0c300380a9d932d18893232279fdc592496cd7af7b

C:\Users\Admin\AppData\Local\Temp\qgci.exe

MD5 fe8f7bb5881c18fcb509661a07decf18
SHA1 7159ecfcf6b790dffcafc371f6cb126c381cc768
SHA256 225d85dc3c96f9a3cfca249c5ff7a3f7d9874c844892edb11928418c4b950a85
SHA512 42da2e93001bef2c771e71405b51ca887b6171bcbfdb3d517dceaec36780a0ae2376bddc1b9e99a57e53b4a23c566ef15ace9a28ee974450ac5e0a44aa60903e

C:\Users\Admin\AppData\Local\Temp\MwkG.exe

MD5 f4ea6a78df2a950e663ebb401acaed5d
SHA1 e4a8b0bad7bc43a2d9c38031e034da169ffd3cdd
SHA256 3f156d568e444d10dfbaef8d0e254ee41a6ec1ffd8d685a4fc1ca7029f5070f0
SHA512 85b28ec5d31974e1ed7527d8a240e9924229f9cd9d33bd7e16b8c405a85a4620368d2316daaabb84a564d223693731fb297fd7070748474921ec1999862e71be

C:\Users\Admin\AppData\Local\Temp\yYco.exe

MD5 cfd49130a7eb05cd707d8d36638ad7ac
SHA1 7b5d4655623dd18dae53f6bdbb308de3f4c4d39e
SHA256 285c342cb3d8c5397210afbb28db5edf1677641604cd9d943934bb60afd438c2
SHA512 86d39c8634fd47dfce75b3adc0a9b2d4f91c51a727e6a3f4748fcf551eae27ffe3e7c9227e486c90ec84e870f8faf8f4cc572397f95e8082149634b983258130

C:\Users\Admin\AppData\Local\Temp\Ewww.exe

MD5 eb3bde28c85001cd4811ef6960792043
SHA1 05b111e1e7ab8f1d238aaef6d421006a62088aaa
SHA256 b984852347e951754914e7585ef910ed987f8f5cfe524bd6d25af262307c1468
SHA512 6e27c8981fb0ddf0c8ec1f5adc22eafe9acd2c6131fc8173b044a07a247681f989a54dc2e159de7009c0d97b185e7dd7af13504ceb0cdba8337bd6429a679ff1

C:\Users\Admin\AppData\Local\Temp\GssK.exe

MD5 b54703ba53e02d5bfe7f8a637a858ea2
SHA1 a7da4c0c6ee9a74b2fd4617964d31ef3d48e776a
SHA256 2ff89286beaba67611ef66b5d3b1c649fe3b1f211bba2a85f81a7c784756d29e
SHA512 a6899d0fed8312f02a5034fdc62625262d5a671adc9d5ed0d370457f6656fb5a51fce11d19c8de0b4c82418d92129254b3a285215472b5be7f9648d2d6a77702

C:\Users\Admin\AppData\Local\Temp\qkQC.exe

MD5 90140d6be5903f2cfbe2117d15fe4540
SHA1 27d80438a1761d4d3a67df2f0f73e26bf4399371
SHA256 cbeae8eacc6da9bf3e9cf0f0ac5e6c84061276ceb866a0da52d0589d2bf4be35
SHA512 f5210ef2b5a3237db1934e1e51d1108293a5774ab8ae410c56bd99c35af216d6d86a38fab12142126404bf568d9e72033a937f7ba7a50af0a77b75b6de298f6b

C:\Users\Admin\AppData\Local\Temp\yMcY.exe

MD5 013872fd8e335497f58ecf796669c6d4
SHA1 8b45f8aa9c16fbb272cc3e9b6a5dac584abe8afa
SHA256 cd9780b90312fe3913c811af610457ff2f9e287e927afe6ac9498de611de4ba1
SHA512 5a3ff5b453c611d6baef1f4f0b778d1200e627c3fcec66567142d37f8f874b01add6bef985750f50e6081d5b6ad8576b22046752da98647f3dcc3fdcc5f4b166

C:\Users\Admin\AppData\Local\Temp\QYoE.exe

MD5 0123bcabc8cdb1a261a17593edd5f58d
SHA1 8e8dd4d53007e5ba46c1cb2a3e22cb0c284c52e1
SHA256 3e102a83b809220e6c15294f9d9264d63dcd624f8c8ae5bb96e24a25d55449e0
SHA512 98939eac74986353a7ea4b75fbe3b7120a0ebab2e76338a4266fc2a4317e88b60f655031998583d8b789ac6c34a0794565ae5d8d98410d894b2e9dee815e387a

C:\Users\Admin\AppData\Local\Temp\KUEu.exe

MD5 f2510a5b99e8841e38fd8d2b167a182f
SHA1 9b0bbd5ec833c2a1c2ae0e236ffde30b0da236ac
SHA256 1e35ba664cee93bc07a1da8abef1941919a5310483eafa81fcfb9b5828c16fe9
SHA512 b22f9252c19dcd7c6276f1b86556e42c13616171a02fb08468a068f9ed49b27e9ecf3852f31e97995d95a4d44f42dac1ab8488f0f072dbdf8e4c2dd08e847aab

C:\Users\Admin\AppData\Local\Temp\GgYO.exe

MD5 0efb5736a182128e16f37c0e7a2d8751
SHA1 df07141696318e62ffa339ebc20931b8495eecc1
SHA256 373b51f9b9b0b9dab288d86080d29c6897e5f058eb3fcf5ab5f3b87d40d2c0af
SHA512 0798036b72f9007e778113eccfe4e2dae1d52f6f5f6d7999a5c4c2301d7a7972600c471af44e2a64cf6e24994bb4c77ea00a0acd3a845375a39d8ca302ee8ca4

C:\Users\Admin\AppData\Local\Temp\Mgwi.exe

MD5 c230e7625a1b6a59510cca1a6ff38df1
SHA1 a968bb31f5bd6c1ec356146538ea3b44a4375b85
SHA256 0f546615c056a3faaab3249e0ff7d168e7e5a91d7eaac6ce686de62e4af3e231
SHA512 8bd2c013c203ef50b1cc61a6bc6e832d8ebf1ea87e79efcf713cd218001bd1a547f5fec16e9cb51bc3b50f00e707bca763dcdade3ac992c95e60f64d8e7cb38b

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

MD5 5b4f753b1628ba499565f6c3c7f01100
SHA1 f1a6aa9ddc2eadf7319c6ef07e2fe398374172de
SHA256 bb80213c72a8b847e0ff957eaeaab95564f00c624bf79d044dfb44ee68fe1824
SHA512 78a5e8c149fbb3040787565a4392a2f0a6ed720c99aed9713f75c7f38f6627717b6bdbd30a8f9071377f5d02daef3ebe13a7413d74fc4c1756b605c364c682c1

C:\Users\Admin\AppData\Local\Temp\UQUG.exe

MD5 747c234ce8e178ae4465044126c36e2b
SHA1 c7564b95a30f940cf6defd4d3bf5419c6fbf900e
SHA256 7180b0d331d53487ef6f17f6be73f7cb8887bf83e202570b98c77c9c04eca573
SHA512 0ab24b8099a5066371895f835522d581d7ff9c5f21c6a0fedec6eba3746ddde5b16e4f332f9b87e63869562f9e84d680d022e8231fb613a95da080e7ad5ab882

C:\Users\Admin\AppData\Local\Temp\oGQgAIYk.bat

MD5 988de9fb90acf73d1f03c628b7908260
SHA1 3521009f70f5dabc1e7891664b394754e7668cca
SHA256 b7a986df98bbb07711614341be22304d21871692f78b31ea450a9b702f98771f
SHA512 897a8d5f633c1664924fbb870de84f8088f7a46530f7cf95799963baf78df645e5e69a46587ebf2eba5f78381ef672315b85fa5612ae765037390a66a933dd8c

C:\Users\Admin\AppData\Local\Temp\gAMy.exe

MD5 f21ab16abe451e736359da1b215e239f
SHA1 4e5abdb953fc989cc219aaa0916e1bce13932e1e
SHA256 bdff687c8476838dbb0b9913328ee77ccfff2128e2f1de569284c15a5f08ede7
SHA512 31d42a03db6b311fb40df5bcfbc09e7b0899744dcd975d79ea3d30fa7638d298b10897da285a9f04230ac8ffe77853d602afd859c5246076fe02970f32eff5d6

C:\Users\Admin\AppData\Local\Temp\KcIW.exe

MD5 656f52f6320c6dd21c73800dc6147bd6
SHA1 7b1cf3813759beebc7e250b9bef39773d88c0cb5
SHA256 68e8b52033bdd889591e4c2b06b8cab8801e1dfa729cab1b1d966102f89aa1af
SHA512 48e813f0fe354f532d4bad660d4c7b0ba30ceee3b0bdff66ea0b39568a267d25d9dafd198b8eb8b319ffa4c555a43c9578a88d16227f9dc8e24574fce9f71a53

C:\Users\Admin\AppData\Local\Temp\OskC.exe

MD5 68a59318bf1513107b8a24da5e63d452
SHA1 67809d7d4072b89bad39620a3c5acf45dbdb2620
SHA256 caa6ad5c6acc54f7b02e73b00b810988eebccb849c4a6dda0a3ce30d48d021e6
SHA512 c6c0552816addaa422354b969c12d54743cba18c9ee48f59986ee2dc0c76cdb8224b8f70ec0e9cce7fccf5d948a70fccc27657a1d714582304b6402ffce2e018

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.exe

MD5 5edf4b6f1c0e304513fd657c15f36551
SHA1 fd34153946bdb05357edb4406d732d65bb041e23
SHA256 1b28f0bed0200aeb2a430bca42fd3e0dfd392ce4eeeb00d62f2c6364823cebbf
SHA512 3b079524e0ba5128dbfef8286d00ae9c3c5984ad7080b6c05125bd8158a8b6f938197a2cdc36adcc36138e1989a28c1b9ad35c47118337fa01eb696a1b81cf7f

C:\Users\Admin\AppData\Local\Temp\KMsS.exe

MD5 9564eb9b342b46e27208e42164e9042a
SHA1 6d4688e7e619dfde09bed0d8885748f218cba736
SHA256 205c002c8f39fc12973cb93770ce4e3068609fb094874a00e1ebcd819ed3965d
SHA512 ddfacf0be6a199a52790942edc09d94bf31a701630a80ab9cd6266b3affa098cf90830b4305a0bd8c1a217011881458a4e2323812700889577b07746e6e02c51

C:\Users\Admin\AppData\Local\Temp\qGEw.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\IUgI.exe

MD5 7e2b5a6c7f94403e3763b5018596db4c
SHA1 715c80bfb2db4802fd0d81730fe42cfb5605b7ba
SHA256 38b3a32d5a8f7e143ee9e0806f45bc54be0e6467385a936bf0d8f7cf2f834f0f
SHA512 2adcf26402ffeb2a2f015cef1d096d347d02a6c8b6352692e8bb8b5e8c6bb34ae06d0f6e94e5a883b1d2184190f13792bfe0b8896899b8408e1c15ad7824b4ab

C:\Users\Admin\AppData\Local\Temp\pCIQksQs.bat

MD5 5e6b8b72d8ec9eedffa12dc88eef6d09
SHA1 4a24d4853ce08ad7c93cb96ed42e2376a37ac54b
SHA256 f464a2bec111508f3791268be4a71f361def4ac6b563d33b4c9b46b44583d4d2
SHA512 619b9cfd644b3a02716982a43a2fed184973114608c5b7797da6e286faf17fc85398d3f8b25ff8bbb243a3a027c7517199920b3d877825d01ce1da0cd08bbbb5

C:\Users\Admin\AppData\Local\Temp\EgEG.exe

MD5 fcfd6dfb1727f60ea133a7691995fb69
SHA1 e6cd5ec5cbf6b5f5c4c2389c853881a6e14bab16
SHA256 66700bfd8225a955464d9814aa2c81f85bde29e122df5d3bd8e3b937c97e7f11
SHA512 83b359c34802682b821e795ba406f1bd7afb6716fbf7f4b68f07850946a5aaead1eb9b827ffd49c6219c37c1c8fc2ed12957be0e1893f3d73798c60e38ffb5f7

C:\Users\Admin\AppData\Local\Temp\SwUE.exe

MD5 e05ecbcb22ac9e44c82655314ebb0823
SHA1 336619fcd3631e91ae4cdc12172f08dc9fc6860a
SHA256 347c4d3f7c29763dc6178d6349f7a902bb688f85515fce588c74bb4a1fd0d191
SHA512 5608681df6d56bbbfb8fa9ff796c6e798cae9d2865f5eb52965de2b9956abd83b96cb4da9987951b0a89ff7f662a9b8e5c1fd25eb769bb2499adb6944f86f69c

C:\Users\Admin\AppData\Local\Temp\MaAMUQoY.bat

MD5 f6fd289730813efec53908304c7a87dd
SHA1 1d26822e3ada208aecd6521a5918972b43daec47
SHA256 ea97048d2eba056bfae458a3cb4d3f0da4501198947a8ee0bd9e2dad4a94b784
SHA512 e2a6c0a9754208014b3529964803e54912fb8206d02302642c392a43464416f7266ca94ab2321383f92b1d4cf8fe37afa1f6d2d0c04a2414fb21245174119726

C:\Users\Admin\AppData\Local\Temp\MgokcMUY.bat

MD5 b5add5a3049a5813f506dfd9d7babd0f
SHA1 cff3aaf727b146326db9447fe84a61288a74c13e
SHA256 9cb68403a9101b2e1c41a8974dcd4a29ced0ed0d12fdf20535c3a1845309a636
SHA512 1fdbc34df9ec9a6f43499d87465782be69611c70a65b8b484f36a3acc1d0f64ffcdce28abb3b10ddea577e3df2023d71e5952d5ce3ffd485a1f259d9165daaa7

C:\Users\Admin\AppData\Local\Temp\TqYwAAYw.bat

MD5 0a22251c4fee75e98d904df6cea6608f
SHA1 1bc77f9aa05fcbf4ab86a5173353fc213b39d5b6
SHA256 ac5d0d5ab7d8367e8423d18ad097138196be790df8592742e73612fead2b7698
SHA512 2256e874d0c75589411f1971ce3830d7f12c31ecfbb66423d1e5a27401645fd783da5559cd009afce902060bad87b008037b7d6b2fe4536b1521fa233f999b94

C:\Users\Admin\AppData\Local\Temp\HYMYEUUo.bat

MD5 a0ea7a824d6dfd8a72a66a8435586413
SHA1 1b6570ce965680144e0c8c3a547803b5a700e076
SHA256 d38a4571e0187562ec74cfaa666ca046d434d58ce851d02b6a6d7d750785315c
SHA512 6c92c032e5162ae602f6b7b0800b7eaa33b36a83b27518f3be8a7e68ea1c5c62588c26607f47e77d634073517ebbf3cf2360c26907608e14d731d5c08967bc91

C:\Users\Admin\AppData\Local\Temp\LcUoQYsk.bat

MD5 2595fd7611a8255fb9f16c93edaba396
SHA1 466a6b56aecb7ae3a918c0313025a87b86b8a0d2
SHA256 3eec371a0e0507ff0890a13d7f6032b652bf06283ac382cd79fdfa6e11d81717
SHA512 5357a8bd46ecbb56deb89b2e5738ed85e656ecb3c533a9c98d89e5c421df5bfb1dee2a6aff2c57e1960bab0350fd236b34059c3b2b90586916bb536f446daed8

C:\Users\Admin\AppData\Local\Temp\pSkAAwgc.bat

MD5 76b5390c48191de6c161f566b6777a6b
SHA1 0609eec0d6d169d7c4b84e3a44ef8a365e591f9c
SHA256 c7e25d89ef677605facbfe6152de60b96fe65b8f187dc196928bc8ea0a178312
SHA512 33e131cdd55913fa84a62b601569085e7b29e3a99164cb5e6dd0fae821161be40e74abb24c83753513ce95fc39ce35d5b29fcf777ec00b5180b301b38379cf3e

C:\Users\Admin\AppData\Local\Temp\WUMQIEws.bat

MD5 f0e839fee7e985f88f9b213833a84aac
SHA1 21f6c54f5ac4e255298401a026461205fcb0e552
SHA256 b6171a4db04d74c38ac8fd6ff62857c99f91f03d80c6d5ce62d8168cbd7f6132
SHA512 d38883f13d05796da63d7128ea45da2084f185b02a2c23074b7a6e2b1df783300db7347338ac2c625c7919f5ca5af2424777f9cc8730449077171dc3ad82e4ea

C:\Users\Admin\AppData\Local\Temp\sMAEcMYc.bat

MD5 9dcf8d3ecb3223be5fc5c38007da5df7
SHA1 e5d38fac1e4be26f98a36651fcd34ff2446049a8
SHA256 98c4db6a23707073742dcf208ef1ae56217de81a0d13ccf5c4639e3264b8fb53
SHA512 6dcab6a446850db3bf755e476f7fcf5cfe468aef87d896510594873bc871973c2cb40ba8be14ff85ee383d5c09df80f76f55b005c494d327017dc20e599f7ed5

C:\Users\Admin\AppData\Local\Temp\DCcUMcwU.bat

MD5 f31fb4ab50cb8378beb8645589afe689
SHA1 dbdaa42339738879bc0afc167054ae544bd792af
SHA256 218f372a9d97d9d54a62f52b4b5d47f9d6b8637eb4e4d5ffac523251ead2cd1d
SHA512 8e5fad5ebdafdce05ceb3a63ffff88adb3a3a24eb9f72db9d635a6981157f34844cf1a7d3917424901f405cea4dd6c6a9f674378b089bd2c5a7df1552446d893

C:\Users\Admin\AppData\Local\Temp\nkIkocww.bat

MD5 c6b8c6e36be28489ffdf62ff4700bbef
SHA1 623d1c4b1cb38ae4720496e5af550cbd177de9f6
SHA256 3d98bd296eb220a38282f2381947e221838976a3fafcd97251e86cc0e398874e
SHA512 aefe65d382fd181119f44d7a66da180cb47c693375572f3cd1b2090372fd805885d711c4f38271a94b29267669f892c90779f7880b12126dd0aa6ac40431ad23

C:\Users\Admin\AppData\Local\Temp\nAsYsQkU.bat

MD5 17d13b6d9167a46b9d7b3a04b919875b
SHA1 28bb11397e4b66d5840b1e5b05afdfd8593b5e85
SHA256 e26202584b741f87ad13a18f78206f06a236c0c6b4a2e7ba17f3372d09fe18bb
SHA512 006a57b90183fe695af566f4a4b84638ab69b9783e11b1dec79da3a5a5f570dde285986ee99ba06c3c1663cfb0ebdffd886419565aff2ebd0a414fa91e691bb2

C:\Users\Admin\AppData\Local\Temp\oosA.exe

MD5 2298f6e309c36d695daaeade386f0892
SHA1 a9b2030307cb295f6d922d34d6dff0c7c38142f3
SHA256 03fb5e1448f37c0ffad00ed85fa1a787036a02987a5ee0cf1a40a2e1ba372ff6
SHA512 f5e7c548f15bff21da3fc1bbb1a2883b6e18af537ff01c364c052636816570b361977a72432a89be73174b572cbdcf30ff0d717a1be1d712ed3d2b805b551f61

C:\Users\Admin\AppData\Local\Temp\WIAg.exe

MD5 2e3a863accf4b2d1a517794448485110
SHA1 ac40c394f42be1bc9bb0eebeb78ae1281e93f71b
SHA256 0d8d75c2fcac8d9b02ca32e100643162a07152c67cb4fdbc810cc1ff72637c45
SHA512 590c645b719791e3a741f57f392ad72487ef7f1d68947039f1714478df846e01c6af5517be25512ae808c099b17294fc2748fc22f1a2626ebca8745a72f8af69

C:\Users\Admin\AppData\Local\Temp\iAYC.exe

MD5 224926dfbb481ca1c6a08aebad92feec
SHA1 c0fa8241a09d517958b3683fcbf5e7303bfcd734
SHA256 31b12cf829d01c1752376155d5e1288dcc07560b8f93c9829636b7f1fabaa9f5
SHA512 574fe4f0510048dd57e2ab1bd5f8dd3741f7169a77673a84230a2b570f2eab850c51605d29b70344d202bee785b46676938c8b24884db7913e442e193d911801

C:\Users\Admin\AppData\Local\Temp\Qkoo.exe

MD5 d7963d46705060c9a3837fe6cf91b9cc
SHA1 d39e12a925bcda2346ac39a43a8e3d2d7f7230d3
SHA256 7b7651d266d00d85e479b779a1ce891e2da1290ed010ea990b63b89f2efafa7b
SHA512 fa8834a18334428b487dd7bde1f35dcbba785eb984296d251102d918f41d5a0bc27c6e9c5a944c72e8653af7e9e37e0ef2963a218c25c2d737db835ab73925fe

C:\Users\Admin\AppData\Local\Temp\bYsQwkcw.bat

MD5 86df1cc6a4fe580132615c3eb71bd4c1
SHA1 6a5d3971c10c18a9d852be7b4d7b76990ccd44e0
SHA256 2e21d569eaf0a42466fb89448558d8106cf587a6af7dd12104afee5274a9f1ff
SHA512 6694930dc5dbc6f7896865953ff5aca65266e45be5ad752abee2198abb411f8ba76fc7ab54ceab0637e4e1d4823e06feba066c621b1875baa7534146e304b91f

C:\Users\Admin\AppData\Local\Temp\mUEM.exe

MD5 f12b31f4c961c80465706d086c56fcdd
SHA1 6bb494630dac47823d402d14d0dc97f106bd70b3
SHA256 42e2c523d8acfb0911c1ae6c906fcd6b837cec0e7c6210b33122d936091dd224
SHA512 92c061c112788584163dd0443f1603f553b1fc8668f7b5c2cd27e25a5e05a5c1c72b4819ecf9c370c04e98fd864ef992051f352489769eff897acb10a5762053

C:\Users\Admin\AppData\Local\Temp\OIcy.exe

MD5 0b5e612fa39dd9084b722b5e1f358c3f
SHA1 481165bba67dad348a221f5ebf16b8a81b2fbdc7
SHA256 5aa5ed756714d51ab37f0489a7ada08430b4a4371449388ca8f6591f26658728
SHA512 66a3a639444b063ddfa2c5e638abff7a40933d5f6e7bd2cdc88bb37fa18e7f1b12a393feae700a0abbd4819890c9f93c4fd3a54c53845c7f0b8acf3467da25ac

C:\Users\Admin\AppData\Local\Temp\KsYooEAc.bat

MD5 5869671d86fd80f4a5dbab730c72371c
SHA1 1938f6a2ebd1c7355223020829b7ea64ffa29a33
SHA256 31224d66425be85a4c02b2f9979787c3974820a2438773039a78f9856ca7c85f
SHA512 691f7d0e302f1cacb68aca3daa3bb296b8f813aa386d0ff1f447f031e08581045296e621f2a9bc48a9dbf5db215b4e174902ba5507478b564f15e8cfa72b7914

C:\Users\Admin\AppData\Local\Temp\WQsG.exe

MD5 75f12d7dc01c316e902b250736b13d30
SHA1 94fec6e087d1cc3429865c93adeb8ef53cb7fc2a
SHA256 2db1a5a4104bebf0c147acc9237d329786ddb6b88f0700a4f226c9416b4a59db
SHA512 8db199f837c5f4dcfcfacfe10583d1a5b6a828fd12e13ea784ec3f16370c7a94aae2acda1108c00a255b35941d13b638472fd389755574b38517a34da64acbfd

C:\Users\Admin\AppData\Local\Temp\akMIkkgs.bat

MD5 27f54686b404dc006165bc92a4e64e20
SHA1 aad5f5e0c2dec2996867dcf89e732fae9ef08f2b
SHA256 55791c35869a5ae958080ed2382fb5572ae53d7d801b01104e1cd0e390f1ed4b
SHA512 e8986d96807e84f7562cdaedc82c8a1e44833d3d6dd142c9f24b6578f371dbf860002e3b0154843c5c1338a38d1a2c091b15652ab6af76ac1d48ecc7754214be

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

MD5 58826eff69b015d7f7462f96502bcb42
SHA1 9b7e742e8f597a41b3928d6d7cabc7ef72e8179b
SHA256 bc45ee0fcbe52a22714d4779947060854a7d77304a56c27763480101460794ac
SHA512 8c779b75a5934dea5a767856cb9bdba8b9a2b0d8c91d28abc6aaa5745fe14cec8a782f2b6e9af71f1f64991eb10bdc81e42fcee37f36e61cbbcbab9d7a982d1a

C:\Users\Admin\AppData\Local\Temp\UEYC.exe

MD5 0522c1bfcba523fc2ddf329ec7ced3e0
SHA1 7d63778c109c80e28fb6a8b7db55fefe22a4c5b0
SHA256 c52fc0fc793900327228cd6f0524fab42e6b4c0b23aef49c4f699301f58414c1
SHA512 31fb040a347257b67a0205bb36c61f910928de05ee570eeacd7c18be968b2611a2ac38d391a1dcd132763ba6855d99c3f48e8e8fa2fbc00cbe494028f936573a

C:\Users\Admin\AppData\Local\Temp\egYM.exe

MD5 e15e79a66ffa9212b0d4adaeca5f2e7f
SHA1 df70efe36c7305174c8673215bdbc940c7c29021
SHA256 0c45e80d3d95770e874d8fc21a13235e8a4336c69b243d4d8343256960b00745
SHA512 9215992c44974712de45eb205a68e76f2d82cc0f82da52574ebbb3f211dc03e8cc7252203f0d33030aa88d2af7aeacad2c2860f64be56959d841fb516e4a421b

C:\Users\Admin\AppData\Local\Temp\sAUs.exe

MD5 a394e605c5c85b0033e8e18e7d801aad
SHA1 d261716a0aba718c7c95dad6f856ba1147c1bcf8
SHA256 b2095de49aad728cc402b0533eeb911a099710add7f3cfaff4dd9bdc0f72daa1
SHA512 a5b73e0bb5b4a4cef5c7c7e0ce00a8499f936b2178c8caa593d7aa809f7919f52d6eb021494ff5d532c29b3e7270f98eec4e70e662d95404b893a189c5c11444

C:\Users\Admin\AppData\Local\Temp\dUgsEkoo.bat

MD5 5f59a11fa5470451f87105d5fdd4951a
SHA1 1e6ef1cd68962e1e146e496fb3a7247da9929cc9
SHA256 b1082aa018ab03be70bf3648a613ec4b6ce91769e26424ccc5e8611141307d3b
SHA512 40127a7ed85486ed7378ba70799766faa5541bc17b02d089a84a60458eee3407eece2e39a473530c0884334ee08ce8abc4861f3e3dd87e1ff228bdba54c4a3d0

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 046e0962af8ef54d9c5d43e839727e87
SHA1 599e2f8a3a3ccee7f093e2151f2cfdbfc1a02651
SHA256 dc33284de622d2564bf83bcd679f93f1b1e15600af8b7b5dff7b7f20647a3c5e
SHA512 1189b84e50ef901dd34ae3602a148fe21959accd003796ee29af4aa4dd4a40a89e964093e9936cb7d8345355a98f8b69716ff754afb04bd4875200a2a3cf9e39

C:\Users\Admin\AppData\Local\Temp\cUYo.exe

MD5 ee5bbfe1912b7f41a50eb66e9682b417
SHA1 5447b674ee22452ad36f027c058c4fe2fae98a12
SHA256 760b7e42f46913c92f264064d9ba85fa645d9d2df8709c02c404a50ded07e8e9
SHA512 d73dc8a3bf1af3983b7714aa91fe31eb41385e3279b94495796cb97774039fcc33a66b1aea0ac74165086166dd0cff696e7db33db4adf456d2d303e735a07a1a

C:\Users\Admin\AppData\Local\Temp\YgEY.exe

MD5 6f073fe22a654fea3654b418b7cd45de
SHA1 8fcf1c51b3b9af343733e37b756da333c3678ce5
SHA256 604a49cf11f4cea0c2c54cdfb0de65c9feb469d83234183a1b9f3f739d722ccd
SHA512 a582ee7dc116688d584c2969cf8c40b76e5bcd024500e0dd62dbe324f971a0cc90afed0f90df81358bb3a245997f3156395c0a2e5236ab9fd61abdea72792f59

C:\Users\Admin\AppData\Local\Temp\yowM.exe

MD5 6748f713fa8c809ad4cad743ec21d1ba
SHA1 b71100b81aaa6dc3f1ad756e635a8b114040e11c
SHA256 54b4af25f97ce85389fa179dd407691d21e929655c1f32d1dcd8c867207e3aaf
SHA512 23ef48a09a3052bbb1a9b983e52e766fa9c9999052d00f93a692def9acef385ebc25df737736db57ded65102ab9e57f25866a24bc9cb75545d5407a360e33930

C:\Users\Admin\AppData\Local\Temp\GcwM.exe

MD5 0bf3df785d00792915c6f308ccc3be20
SHA1 682f08c62247f39e33cf1d15bf4b2ac4e9fca56b
SHA256 a520ee0ac15b63168c5ae29f297367c19f2e9da3008c715ee703f5b49446b242
SHA512 2921278037cd52832932fdf75a141db90779ad27e54d3280cb56a05192717544e1d7d2dfd9a93784f60f7e0784f67590e46ca51fc5ccb149dcc65148b923d80d

C:\Users\Admin\AppData\Local\Temp\kYck.exe

MD5 7e8c7100a9caca541c7baef68d29102c
SHA1 544f794b6a3419d6854394847321dba58714b45e
SHA256 bf9c41e72d6aa6dd9ff5ed898d04112aedd3a4371ef524a0e4e1f616ab456318
SHA512 c6382fa4d964f1badc1f8ed1aeebf000c0e94cb84fe315d87072a28c5d53acae03ae9741b414bfb6a045f342f24705bb126d94c86d52be3000b5fc6e8f6489d0

C:\Users\Admin\AppData\Local\Temp\twUoMMUM.bat

MD5 6d148e095f6934c3e675dc79e2323e12
SHA1 9b3cb2e7be3ab5ff2d119aa61c065309e9037dfa
SHA256 30edcbaf1ba679498b838d48d39836fbe7d6095f9be8320a9026f93ec4c51561
SHA512 a3dd57d2d57577efa5bffcafaa064188207121935ee44cce1813b838ae12108b3897467370f47b20b8b1fb346467c786eb46c4238a6ceeed9324b8aea8775b17

C:\Users\Admin\AppData\Local\Temp\OYMi.exe

MD5 e0d20df5a5bef9d957c354f4f1912234
SHA1 e3af046591f6615aa0bfabe792f79ff1ff6a3928
SHA256 69baceddb73aa8fed901f37c5880d83e75889fb9176ffd09bedfaff470ccb728
SHA512 4eae86397602c8ee98d159d1f5266b3b99cff1ebfb506f98a0df599aed52cda8e2e42143cd8a30804fb41ab7b477625f7f88d339f64b0d7ccc5260cc55458d96

C:\Users\Admin\AppData\Local\Temp\GoAy.exe

MD5 fe68a4d26ebecbbfe4a1f567881092db
SHA1 b605387ae23bf8cd7bd2054b38b57398065edd06
SHA256 4f51242a58794817d0011826a1b077b425b223b3156bb6a8a784306110c82d83
SHA512 313961b96c898fe116f841e212291fe3f6e4e969afa859c02f1b50677ab483e70451ad60e66cae5e197547094b6119313f483c35f11ad5e80488a1d4310f9c44

C:\Users\Admin\AppData\Local\Temp\yUQa.exe

MD5 02cc80eb31fae8887ed157fb0e87e7c3
SHA1 976dd622599d837b6b81a6811ed51d04e0956f89
SHA256 74b060e97ee24131751cff000e27c6530c35946864f829329ac5a2082a0a37e4
SHA512 bcfeb763679aba4c547c16b1a66054da8939bb310a6f4b8444010e0f2ec108a309cc5b1e2e023ba8bdea2302e7b67d3bf1de9bb3c84613d0f4959c02fdac0ff8

C:\Users\Admin\AppData\Local\Temp\yMoW.exe

MD5 adb0164dc68a67f7be4c60bb75dd1b22
SHA1 ff4f46d6a5abdcb86e6c9ed261a7045b1b6f6734
SHA256 8361e353ed8c19d5ea6e4c9c3802fb0aa627361211fb61678bdc4875468b7ec8
SHA512 26f12fbed6305a223639414ed2b51ec763f51160f7d91c0209143c203deb4213fa897f984830f34f7e0f85edca74f7b259fb7ae1d36ce54d204b07b1563f5e5f

C:\Users\Admin\AppData\Local\Temp\Gkos.exe

MD5 0832356fa54ef0585bc574f3739d7143
SHA1 8b20ff06ea67db764e752dbf18a8fd660501ec97
SHA256 e9dae841f2daa66b1bcca89d9c5e1ad27ab5b1f8579f317ce0d14a30459d4c8c
SHA512 3544b0ac49c233a35c980c1913117a477cc82673a405fa4de3bd87f3e7bcdca4bb1bb9840eb7b8c6ff5838d61383e43c186cca9fbfdded20f60d3f22105cd910

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.exe

MD5 7956c1168e8d819e03734da76befdd1b
SHA1 94ef544bf43b7d2affad179d73c5fb2ec3f10493
SHA256 99f4410c9f774909c658358e9050701c40918c75b62b47f5a29540ba90b499ac
SHA512 d77511a27c34a484052de8cd09f4006b8e718469ae4e830b9eff4404b6627198306221878f1c877096f4e9f20bbac73919af174131d7686ab81ea464946d4e2d

C:\Users\Admin\AppData\Local\Temp\GAQs.exe

MD5 2f42f05b7508eeff8fc4d0cd4acde527
SHA1 a1931773254a99917f31d2f3645f06e14a13c952
SHA256 fc0b42a1298bb922aa6cdccd8b7e9dcfb84efd0c42fe3b1db13f339ad1316e42
SHA512 27cea82507b788b8e321d7058a6397c718da2227fe7ab4b5887ca17f5a60340303e6fbb09a6685280f9ff8acf283c542425d91e5a54020165ad757ffc24bf211

C:\Users\Admin\AppData\Local\Temp\ykkA.exe

MD5 3be3133b6c85c725a82b8d7641ca4e3e
SHA1 057842a81e9cdfc90d1095c1c2b3a63d8bbe142b
SHA256 975443fee50e3eeafd13e329c9d588b861e4dca4a30ec54e4566f1d9f65f2c72
SHA512 a32d63f3e0740e2f6d513680c5b50eb5c2af2950c7107e7b1118a80fbe8d3e55679c3698bcba812e3fd3737ac06f4124aab89c3456c9c3acc6936d7516976306

C:\Users\Admin\AppData\Local\Temp\nUwQsEcc.bat

MD5 3d1e710c9f441ab6cb66c846c3a78415
SHA1 aa8d9e304f1fe42bdde606dd7e3239285bc673de
SHA256 5b3269751f9de524d4bc614072176b014c00cfd41b477a320ac6f12d24548d8f
SHA512 b68f4812915fbb2237d8a09a74fb53187d425f95849331825a9185e94f8c8d657d7913f8e10b9de2e41f5c83971ba83f530a423f361b417154dcf7e6938259c6

C:\Users\Admin\AppData\Local\Temp\wsQW.exe

MD5 67fdf50368f361a84150160397479cc7
SHA1 6528ace238da262b256886954367877a6de08554
SHA256 e588d818f22919769d5407e7135bfdeb4467c91e8338ad75a687377989495598
SHA512 1f89a2f72f305a5381e1fa1ff2036925ff6d66431bdcf9682704f70d4a86bb4c55560bf4d9f6052d0c00eccf5136620958b296b4a945f396f288632d3f2c97cd

C:\Users\Admin\AppData\Local\Temp\EAsg.exe

MD5 dcfff33d4740340309278eaf5d81a058
SHA1 48dd665ce6da8bba6c6bd2184f7909e60a325fc1
SHA256 dd30d3f91969348f48b523a887664f24d74f96193cda94866b002c5473b24593
SHA512 15d7503a020da592937c4bf16ef6d248fbb251f53d87932e1d52c4bff39858779afb7a40adbba84416ef6c43437159c5096b63a18f727bb261e0eec626bee2c8

C:\Users\Admin\AppData\Local\Temp\ycAK.exe

MD5 673a55b61173105baca5b24918db83c7
SHA1 5bf405a3178f4d1d138959145982c3ef7a25b3fb
SHA256 29fce90dce9c28dd3e5fe24e9bc5add22e825fc7cc69da7a85b107bb7d727198
SHA512 3dc1cdb9a9a0fd77b7030b708d7a183b9d027b83837c86582591ffd89815790ac8265dc382bcca9a24f264c620fb095d51de2f50e515b63b6a72a06af112e100

C:\Users\Admin\AppData\Local\Temp\gYgs.exe

MD5 5051073a86356db471a95b4e151926aa
SHA1 f7a9b6d86bdf9ec396aa0dc86da8c9993514e980
SHA256 bfde9cfce7dbc8c0e91ce17d901ef9efcc29f2d83231951605b5500b7844e05e
SHA512 a20c8f1a1a6cad31b29cd0fe72ee46646c301c8b358e9164ae5d530d11e1fa36e04b4d34eaf1134f9679d9080d25834bfa982249d54ac94aac1b649c64a36662

C:\Users\Admin\AppData\Local\Temp\OEMS.exe

MD5 8d4923104383d333d824335de99d2824
SHA1 a9e5678fcd596c2324b2ed57c227de3ae337e74f
SHA256 25b3227b2e4380b160804cc4f63e8392cd92c15a409446ac0e780358d985a6f0
SHA512 39ce69ddfcc0f29d60e7991c7903355f1b4b3cebeda9c5ff4f94aaf020a1221e417389d215e3f96821b266df0ad6fdcd02ee653b5bacbc0bfb93fea9de78ee7e

C:\Users\Admin\AppData\Local\Temp\GQwC.exe

MD5 198327d7080e3de937603ccb3a6fd070
SHA1 94bc6fcd9567f141ba32bc3af7f095a22052fd8c
SHA256 ecc723cd4d7ec24c96097ef1946f2832c1f26505ed228a941dbe61253e3c35b7
SHA512 f1cfa456e6edbf5ae71ec3e0c70b49d3c2d99faadbf628f727f3abd97d3363a0396d8bb8ddd3460fcf53ef32c6fac491b08117f9d0c5532028923578297ec2f6

C:\Users\Admin\AppData\Local\Temp\gwsU.exe

MD5 270d9d4304f0f099865edfbb31cbac84
SHA1 9afa7527eaada866471d51928f234a99693d00c2
SHA256 7a47935f51224ce3c3038fa2c4c0ac8814be687a265d7e5dfd12f1aace25789a
SHA512 fb243c7ec6c6bec005a8176c6925d0a14ed92b5fc6013d137f647378e7fd17956d89ca102ca3ae9f6b2258806d2ff871b11b2df8e4b544c3ae50f14a06478438

C:\Users\Admin\Pictures\EnableRepair.jpeg.exe

MD5 82444656a913adf2fd799c1c29048c0b
SHA1 97accc245a9c8ce8bea496ce7ec068275b351f4a
SHA256 076f04c40ddf648ea635218741d097d097f395865c96de057cc0ae55f3a4b57d
SHA512 5503777210f152118168da90deb5cf4cd204473154e337af76f16c58612a9606fca3e157f4f8bf292d25e7fb16b98d1a95004bd722388e8af917aeb753e94f2d

C:\Users\Admin\AppData\Local\Temp\IUUO.exe

MD5 32f11795e89efecc9b51d42a1b0e3f31
SHA1 ff11d26d3bac20a90314c2eda0adb5699777e269
SHA256 a43270380bd9a9ce7b7fcdba2187bf8fcdaf6b3d6dbde8743c64bdd24bae1ea0
SHA512 d99d99f8b0763f4d84cf8006be22ed04853c86846fcfcb4a8af1bc322b7045a320ec98b10fe83e7ec550912028cc3647ccda2bd0f6c6156353caf3cf1976f3b8

C:\Users\Admin\AppData\Local\Temp\EUMY.exe

MD5 7ddb48c0b66b2e463a78d9bcb48ba4fa
SHA1 7364743086f9c61c9e9f3e0ae131ad6a3cf37e1e
SHA256 18921568185029f9b95477cf79225fbec03b2ed71cea9c796b9cadf1f2d707b4
SHA512 0b0b8559a75fd6bda5d8be33e43cd717268ae54b7ac9a47400ad5fe5359484113294c9e7e239dcaa72a4d815b460728edc66e9dce16a4405c77b470ff6d651f7

C:\Users\Admin\AppData\Local\Temp\WAoAYEkA.bat

MD5 023346f9b84a36140af577d5d1113fdc
SHA1 326b8e102cd10707c48b4d594df732d24323fa06
SHA256 78f32f09b390694ac5465e141c610aac3a7ee1dad2fa06394fe297376cf82963
SHA512 24b95acbfa8237c50f86de731f1778fce5e1ea6c221ce32b6e206ed08c80f682981b829270e27153e538e473c1dbbec8a076b742cb928b45c40c043a952910c9

C:\Users\Admin\AppData\Local\Temp\aEcE.exe

MD5 4b51734c8772e010eef6d003ec4d2c39
SHA1 7a40dd2486211c60e9ecd0ea781b5c9395531f21
SHA256 d139142c8f2040d31539402f296514eefc3891bea36ea87658b1cadaedbdf4d7
SHA512 8a9258bbbcf2a923dda10588e772519e253286fa5649fdb8dfb77852a04ca3c6f07c8b515033530a4c628b1faf155cd350d59547e8b51d59be974ecb2a54453d

C:\Users\Admin\AppData\Local\Temp\mAwU.exe

MD5 7aec0d4d3692c4edf254be3b99394b70
SHA1 11e35f826c88368ed5d6f8b0e1e95915888cbfdd
SHA256 8fcda7cce8c692bb7914499b59faed3f2ccd036a3fb32e77f087c6e716efc38a
SHA512 373832f980cf7e67fb59a172b8acdf76f4bd569ac02a954283dd20791b74eee1e436e52d40e64c94e628a0c5df6ccbe8824c3cc9be0d53136c4af49afdc6abf7

C:\Users\Admin\AppData\Local\Temp\AEwm.exe

MD5 44e47fd7c7e52d0a72e039b3ce380fad
SHA1 d10893a99506cbe5e7e5233e3455cea0e113a265
SHA256 ce9db8d9d65be6245b0e60ecc9e4dc6f26543df4309c037e2e51c6140be6ba63
SHA512 e8a04c310a2b4477a8e53732922eca504967c6df29e9469567b9193b20a7bf0e210b828ec39733a49b730bd8c0317dec023376c2cebe1def6dd852005687d893

C:\Users\Admin\AppData\Local\Temp\SoAUQUAI.bat

MD5 67daf51f462a58385bc88d6b5ced1035
SHA1 29cbbfd531797fa9910aee2bf6f1fef29a7491e8
SHA256 493ea63e193da3cf603edbfd62768b38803719b407a5e2aab3083dbdc65b5383
SHA512 545d2463ae1db857f9e6c4709a24cfd45e3c5085e4fd8051c7763b57a2b0f296c8f20747d33fe4f7c49b6b2f87d8a1cf14ad27a909e865a1904bbef921c9ca6e

C:\Users\Admin\AppData\Local\Temp\AgcC.exe

MD5 20cab90d3123228785ccd4469ef99229
SHA1 3c147e573296a943f1fd65ed4bbe1f2b2445a327
SHA256 8df9d9114a6140fab1347503af307ce03bd6a7f80d73870da1aa281d2805dca5
SHA512 63d171db6892f590776a713e8a43f8d7d17da3bd173790e1cb24eab1781fe719840f292c26f379a6628398f41570a91845a4548491bad5d01951f582063a77c7

C:\Users\Admin\AppData\Local\Temp\isQU.ico

MD5 9848e0173c8ca1325db2a20b2d8bff21
SHA1 c4cff05a5b4bc7cb1dd687e799a6a12d7058f9b1
SHA256 8018e3bb08def89f0d13393e54e6b9a8c6e3cdbbb7b9f0b7f49cf228703f9b00
SHA512 967d1d3a57b7dac2a5e413f6972278938d7bbab192754498e50d5803b8d7370d48c9ec89938f4d11395c0ae518aa48192143b8621c665eaf1bcdebbbd53caec1

C:\Users\Admin\AppData\Local\Temp\kIUk.exe

MD5 6ec2487a9baac0e62506a0ee25bd8a35
SHA1 37ae43d33c18ed8020ef4800ae64496ffa74aaf5
SHA256 528c4bf0d7af2aff4d25a26b149189fdbcf2ddfcdf82b3625a256d4dc69e809d
SHA512 35ddabe539c62096575ce4efc12e7e51f44c32f1336c8228574251a9f637d74eb668c7e1b3ceff8a550fa24ae5895be01cd38b20537afa80b7e409ec249c7e3b

C:\Users\Admin\AppData\Local\Temp\AYkI.ico

MD5 31b08fa4eec93140c129459a1f6fee05
SHA1 2398072762bb4d85c43b0753eebf4c4db093614f
SHA256 bb4db0f860a9999628e7d43a3cfc5cd51774553937702b4e84fb24f224bc92e6
SHA512 818a0e07a99a12be2114873298363894b3567d71e6aa9ce8b4a24c3b1bb92247450148f9b73386a8144635080be9bb99a713f7ba99cb74f8e82d01234000074d

C:\Users\Admin\AppData\Local\Temp\oMMe.exe

MD5 d688869709e858a9a926e3ac936445a6
SHA1 eec1b60c34f4092d4f8e4c635c9c02df21c681aa
SHA256 fcbf09b614e7bee252e9a67b7c3aaf7d1ca38af4703a57089d39546d77c0ed65
SHA512 e1a4774d0edc05d31034bbb4a76b3cab008a7271b289ae0299f4bc1405d5c33dddfba9ef870707dc99c34318296fb2ce922385dc1b25aa59a5c1f984391d7475

C:\Users\Admin\AppData\Local\Temp\dAoUIUAA.bat

MD5 56fd6aec2e71dd8b96a0a01908d44d43
SHA1 fd2c240335e7cac8e35d4097b918e9fc6cd51121
SHA256 efd173de1012b5a26fad85b6409c691da7afd20332a23f86c17c9984b44d8eba
SHA512 b0ffaceb63fdef58b62190ef39b2420f25f6264dd43b4aea6ce996ed83a0a0e081d03751bfcd7a52a7bcb3465608c60fd672dffbda74e96e155493b0d4d3ae86

C:\Users\Admin\AppData\Local\Temp\UQMk.exe

MD5 647568e1574306cbec7c21591da80066
SHA1 d5d253485eac2135c05b67238507cde6161c40fe
SHA256 0b049d894260ce7f0dd0c2d66ebfa4b9ce68164e48ba210541bbeb8d64398958
SHA512 6165cb935b390eba8c809fe24800616702c9dddb8e017680d61967e8312969fd031418077174648017038e1479445fe647ab33f9145891518488684e43c249eb

C:\Users\Admin\AppData\Local\Temp\yIkU.exe

MD5 665aa6957367066afee579b9d2539338
SHA1 437759c1f89d7242c0a66d89b248af8e2ec3a959
SHA256 cc85740cefaecc776afa2d884ed0cf5315e3031126d2028ff6a2e742c37aa5ed
SHA512 9b39c52f2b1d9400dae4b9dd2731e40909d93bdf78ace51752ec6b89a2675b0616f28429d443402cea19cbe339833b9facdab4ae2ade53a0c97e5495aaf4c2cb

C:\Users\Admin\AppData\Local\Temp\sUEW.exe

MD5 4c8b5033196d0e5c4f4fbfbf42397571
SHA1 ed88d3105917863b5982727f2ea645b6eb38a964
SHA256 2538f2b33fedad89eb10c77c0e617a1c3ffca2277d0e3f041a5cb4bddb97a114
SHA512 270f7b35888e6166d9f89f8fae2dccc224c17594d300d9b1110dabba6885258415314463a52774949a259a2fa1d639788a47140d65e0c989297456f2de2d63e2

C:\Users\Admin\AppData\Local\Temp\KYso.exe

MD5 5e4b606af895bf3c52b431b854cbb91e
SHA1 aa32728ddfcb430b49a89fc6144a69ccd9c03a74
SHA256 4d9bd10c811f6ba83fd369edc2f0d1bd1e174b0e684b14a2f10d08e1e083c70c
SHA512 f4ef16b3b62fa456a5896609d869ce7ab28bcf88059a2d36fe84ce6523ba93241a065d21eeb8a10c05fb262e1b5c68199d8299a89c9019634e2ccd0162343188

C:\Users\Admin\AppData\Local\Temp\DkcEYkwI.bat

MD5 058272e2d65bd1202becce6868860036
SHA1 d4c0da630ca50564a7ab9c80aaf63cc51b843d4b
SHA256 029a0a5604b55866b6eb72509335549aebd0c2fab8f789a59d16ce0c5e6aeec5
SHA512 6bdbe40d03b0291c2bbdbe6deb4f757243478a88c72d4c0107111dd093508cd38d37495abd24ce1339afa3c9199b94ac2543e0b5819d53dbf86e3a6ee054ddff

C:\Users\Admin\AppData\Roaming\ConvertCopy.rar.exe

MD5 440b3c017173c0611e1359f0fb1adb54
SHA1 cd582f339a2ec2b9aeff8a44af28405721cd01d5
SHA256 b5e70e6c156585139747d55b07e0796101a6270c5e1f82aaac9bc2673a923652
SHA512 bbfd8f2829a29fa2ce218cf8ffd998ac4fa35d06cc4eb2884bb53cdb2f6b8452d98e32422308418e51e22f3e29b97b22eb0a2dbcf2286fc65a9c27d8378b2dbb

C:\Users\Admin\AppData\Local\Temp\eSIwYsAo.bat

MD5 47224b4b16801a69a304453112d4ffd4
SHA1 183875254e43c233afad716e821351aba5e86756
SHA256 0f9125daa6e8f2554ed5b71981384fbc9ec69d1edb9721d2817197b40ea78cdd
SHA512 d8da05d9de96769ba459e932b1805a16ce8fdfa95d140034d7d3f01e73d687dcfcf6e0174a60951071038072345bfb41886c126e02b0435ad4dcf4f1067b2a3d

C:\Users\Admin\AppData\Local\Temp\OgUK.exe

MD5 4c870d597f1fc6c1734e31a7c4b1228d
SHA1 8ec753832d6e051eca6f5bbf99eeaaaf874ad934
SHA256 975979675c7e029b02b95d631bd1c1b7d4cdd4d560b4747e49106059bdf6d060
SHA512 5de770ad60fa390a4a38f1fabc50ae7333907dc1cfec12a248d4f8283b01a3c091bf2dfe4a95b2233467ac02aa5d36b2b9e4d4594977d12fdae7be9ee03fd180

C:\Users\Admin\AppData\Local\Temp\MEwIogEs.bat

MD5 d0478b0637fb0ef6731ca6f057bc9a6c
SHA1 e3be944efa44758d2ff34b2651dae284bfd3b377
SHA256 77cc6984b08cc663c7287085c9fffda7e33ab7b3cf23fd3c511c44725a15f066
SHA512 7bee048dc2d2d9a9ef81c2016ba569a20ed1d948beef0e4cb5bbe435b749acf229280d81971ad5c27f47da81d32aafbf1141951515583c110af5360beb31b034

C:\Users\Admin\AppData\Local\Temp\aUcs.exe

MD5 ff767521439ca272aea4d35060c9b509
SHA1 3e624a81bba04e575fad59ab00a88506aff6a60c
SHA256 776a8c1226c5f150d9a5e3665006e9bf8310fe2ce313f87c2334e054b75b0c17
SHA512 6afa569dde82524554e011518e04b4ec62c518a2b0d017618bb3eaa2281eef5a0bed83e7751c2ad35952082c7293c8b75c4ab3d574888837a62bbafe2ccb7df1

C:\Users\Admin\AppData\Local\Temp\Gckm.exe

MD5 d299eaf3dbb6a6fbc8101997cf3e252e
SHA1 0d90a0508c8b6322b0d95be20a1568b2e52f7a92
SHA256 007577789f8735cc7bdc125e0dc6e313f3a17a4bfbd9300ed27339902c85e190
SHA512 72a3e9f8e9a8815674e5a283fff5b717bac8e619ce75c9037d3aff09047f6749f18d60628406a269a2c6c04315ee6a91860a3362f4305231ae812a14d207599d

C:\Users\Admin\AppData\Local\Temp\TskcEEYk.bat

MD5 dbaa8d870d27a46fac3264b7d86fd3b2
SHA1 6bf9575f5095e8736ea9b899926dfe9170c5903e
SHA256 11e2940d6bfa475c639c77615103fff378ff6f462913ac8419c91b79d3edd41e
SHA512 c00e6d664d6337b00358d99901ff2e8ca09814ad36a186ed7e994896c3bd14da469f789d9ba08762b171e5484cc51df149a45ad7c501c918f95f2ea27313a231

C:\Users\Admin\AppData\Local\Temp\yQUg.exe

MD5 2d2873f447135789f364379db8fa008e
SHA1 1d54a26229ed0ad37bea592aeb41fd8bf8c0ee2a
SHA256 24c281f8598de0ec0440eb9ab75f5a1ccf97119b4a364f269653276e59a88bc1
SHA512 354b21874d4f721b5f5de457d1d4fac9532614e38f2a814b05773d2a754d5abf8144853805b79838140a827f9ecdeb64c870349f73791c80e84d6577ef7cf22e

C:\Users\Admin\AppData\Local\Temp\MEEK.exe

MD5 4eb85cc8240f5d2d78e6366ff7e195e4
SHA1 faacd6287099ecc0331c5955b9a7101ae7c94b4e
SHA256 fe4f5f09cd7f2f1273bbb5a5bc5cdb14c0e43c13dcc4b644c6ad4ba453b923b9
SHA512 ff83c87464f14f612330778c693c23ef6a651e02dc1254c0cb9bbf8a1e7bbb3ecd11564800fe3a40fa557857218dc5747b520661806b1eeff583e1d52459d34d

C:\Users\Admin\AppData\Local\Temp\Okku.exe

MD5 68712d7f61fe2f22c0f7f05e5c475b16
SHA1 d757b87ff450214c22f038682ebc28e6348245bb
SHA256 f59e5804710e4b3202eb0622e4d4e4f7414fa4e9cbc538737df286d414aab7a1
SHA512 5e5cbd45b4a5f5e14469e568e0ddb7544c3027971575224070de7a02fce5f278e67981ac2194fe93e2a28a4dc814902494f7c592d899b9b3437d938aae77782e

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 19:14

Reported

2024-10-20 19:18

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (52) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\aKwosMss\GSwkEYwk.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\YSwwYQgU\kuggkMIA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GSwkEYwk.exe = "C:\\Users\\Admin\\aKwosMss\\GSwkEYwk.exe" C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WwAoEIYI.exe = "C:\\ProgramData\\vAAEYcsE\\WwAoEIYI.exe" C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GSwkEYwk.exe = "C:\\Users\\Admin\\aKwosMss\\GSwkEYwk.exe" C:\Users\Admin\aKwosMss\GSwkEYwk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WwAoEIYI.exe = "C:\\ProgramData\\vAAEYcsE\\WwAoEIYI.exe" C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WwAoEIYI.exe = "C:\\ProgramData\\vAAEYcsE\\WwAoEIYI.exe" C:\ProgramData\YSwwYQgU\kuggkMIA.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\aKwosMss\GSwkEYwk C:\ProgramData\YSwwYQgU\kuggkMIA.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheDisableSuspend.xlsx C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheReceiveSelect.xlsm C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheUnregisterMount.xlsb C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheWaitPublish.xlsx C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheWriteLimit.exe C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\aKwosMss C:\ProgramData\YSwwYQgU\kuggkMIA.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A
N/A N/A C:\ProgramData\vAAEYcsE\WwAoEIYI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 544 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Users\Admin\aKwosMss\GSwkEYwk.exe
PID 544 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Users\Admin\aKwosMss\GSwkEYwk.exe
PID 544 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Users\Admin\aKwosMss\GSwkEYwk.exe
PID 544 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\ProgramData\vAAEYcsE\WwAoEIYI.exe
PID 544 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\ProgramData\vAAEYcsE\WwAoEIYI.exe
PID 544 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\ProgramData\vAAEYcsE\WwAoEIYI.exe
PID 544 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 2552 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 2552 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 544 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 544 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 544 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 544 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 544 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 544 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 544 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 544 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 544 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1824 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 1824 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 1824 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 3316 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 3316 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 3316 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 1824 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1824 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1824 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1824 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1824 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1824 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1824 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1824 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1824 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 1824 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 1824 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 1824 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 3616 wrote to memory of 4960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3616 wrote to memory of 4960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3616 wrote to memory of 4960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4404 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 4404 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 4404 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 4404 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 4404 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 4404 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 4404 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 4404 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 4404 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\reg.exe
PID 4404 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 4512 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 4584 wrote to memory of 4512 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 4584 wrote to memory of 4512 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe
PID 3716 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3716 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3716 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4512 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

"C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe"

C:\Users\Admin\aKwosMss\GSwkEYwk.exe

"C:\Users\Admin\aKwosMss\GSwkEYwk.exe"

C:\ProgramData\vAAEYcsE\WwAoEIYI.exe

"C:\ProgramData\vAAEYcsE\WwAoEIYI.exe"

C:\ProgramData\YSwwYQgU\kuggkMIA.exe

C:\ProgramData\YSwwYQgU\kuggkMIA.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HAMoEIcE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmcUgYsE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nukEQogY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwskcAkw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ocEccwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqkYUAsM.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWIQQQsE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcYYUYsw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\higYMEso.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isMEYkgM.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMYgQEkM.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEIkwQck.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsowIgAA.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQoYQIIY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYkYYgEE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMAMIYUk.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQAcEEAs.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUMwMIYg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pigYkEoM.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwgEkQww.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCwoUQoA.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGskcAco.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycEYoYMM.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 1756d58f4532370ff64513a96cae0697 22VKxw2ynkGC3hPeW+f2qA.0.1.0.0.0

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgIgAcsw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmYEosUU.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGwEUAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEocIAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWQMwocU.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UEMUgUkw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqEkIgUY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYsYwIwo.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUYYUUIY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuEgUgwE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rssUksIQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkcwAEsA.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSIEQEkE.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kskYwUUY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcMYMEMg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqUEsAsg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmIsgkkw.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqwQUowQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGQsMYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCoQwAQk.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwQwEwsA.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgggoMos.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEsAAscg.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCgQwYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkoYoQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWwUwkkU.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQwgUwoQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\huQsccMI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vcwEUIYc.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKccQkMc.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LEsggEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UKwIgcUY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGMMMgsc.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmQUYQEk.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NcsckgAY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bosgUkEY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwowMQow.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkwUEoEc.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwoskUIY.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SakgwccI.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7"

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwYIkcYc.bat" "C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 33.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 172.217.169.46:80 google.com tcp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/544-0-0x0000000000401000-0x0000000000540000-memory.dmp

C:\Users\Admin\aKwosMss\GSwkEYwk.exe

MD5 d42b0810c563ecf7e4403b0fb06c6fd5
SHA1 450cb79fed07b3c33068f6f2ff8ecb381ad2e303
SHA256 37c156930312321ee8649d993dd1362b5c2512ae47ba90412ecbd301ead5f4c6
SHA512 0143d593beb78e4e50bb982ee63fbb357c23c716d38b3e676ec62209c3c9f63e765c27c86c06386c94322151052ecf677e71db69b383dd80be05392f509c0d8b

memory/3908-8-0x0000000000400000-0x000000000046F000-memory.dmp

C:\ProgramData\vAAEYcsE\WwAoEIYI.exe

MD5 14dad8b8e53165f3514a57c0bfc745d6
SHA1 fcf46d74422771b04a98421577fe52fdf928b81f
SHA256 b58b8cd01b0ac08931b5607490424e9ad748f6cfc99f87a8d04496141ae557cd
SHA512 d579729812896827d2e52119cec9bef02524cc7e9da660f33dd66897e8f35b108ba8470408c13f04990b9072593805b11f00cb4a427ef0fd0bc3b5853a1e74ca

memory/1172-12-0x0000000000400000-0x000000000046E000-memory.dmp

C:\ProgramData\YSwwYQgU\kuggkMIA.exe

MD5 d1e0834f22be4bda67d694bbda075356
SHA1 cc60d18272b3795563d52641ddbf65832e9dabf2
SHA256 2d55525db37551ab61cf304fb7a9119634f7a8533c4184dbef7c32b43a5828b1
SHA512 3eeb340d58cd924d8d4e4d0d3bda2673fe54ed5319de370e82b6d860326fd826dcc6e93f1a6fcd6546dbe9ebdb5de67ac83b2244468eb880f5ab185955b18b27

C:\Users\Admin\AppData\Local\Temp\17d2af1d49eab3e30a2d0177678f0b2bbddae0f7ce7707fbf7206e0eb919cfd7

MD5 076e3caed758a1c18c91a0e9cae3368f
SHA1 f5f8ad26819a471318d24631fa5055036712a87e
SHA256 954f7d96502b5c5fe2e98a5045bca7f5e9ba11e3dbf92a5c0214a6aa4c7f2208
SHA512 7b8b9adf2dc67871b06fb9094bcd81e8834643cd9af96a0af591c2978bbe2fb7f53ff9b54ae09099aed97db727cd42df4ef02662ef4c6d7cf8023561ddccc7f2

C:\Users\Admin\AppData\Local\Temp\HAMoEIcE.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\AMAS.exe

MD5 ea35f867cbd86a51f906cdf34576a8d4
SHA1 e9754af22c4453b5062ad49e12674e82be61f844
SHA256 c3a621e8f180393f54166d4ed7efc779f8483e775219a2197cdee50d34361e1e
SHA512 8d39586e19832f7d2ec11ef8ab1a750cd205dcdacd43030503f9e3e3ff4a0ae6aac70e5ef9916dd0a1eaaac317f8245bfc5bfeb489aa27a8b6acc44aa235868a

C:\Users\Admin\AppData\Local\Temp\osAg.exe

MD5 6bb8d951866aedcd443a818cb01e3fe1
SHA1 303aa7e247e14a63180fd80e78a68133b57a3a82
SHA256 7bb9ec3b6ba60f3b7fc8c5960dab14bcdbf2fc76e2aac08c726a8a91208f7c66
SHA512 4566fd674b8f479aca4e176326d1fcc5a5e52d21365ea0e6aa047f1b8b8c10b0d516b22edaa4917ee26f50d1b9e89e1f7a84bdaffafc93ad756a37b6d5b12efb

C:\Users\Admin\AppData\Local\Temp\cgoI.exe

MD5 4261dea5f5e024c5b6d6e8ee924d735e
SHA1 e38133919599f575f2a065a50685248b61c4107b
SHA256 ea4fbc043b2616baa1da4bbeba512b89e5e9f3bd0b2f3fd7476836d0971c28f4
SHA512 11fe4b3478722e58d7b1b4793b9646137fd18a6531940fca83e305a418cb54c96d5bc4dc6ed4d1103d842d2c293ffb374269eb8d2e740bf49aa4ff9909057f55

C:\Users\Admin\AppData\Local\Temp\YyYo.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\YUsc.exe

MD5 0100e436b231a36b0e2a65b577857d39
SHA1 d2e9a5277bff0427d1c64581611be9a539089195
SHA256 32c416bff8f6db4fcf403dc8edebf75a35c16f8bd50b252d857083becbd2193f
SHA512 29245886701e94d90c67a8010ca983cdde784eac6aa7969fd92c32f606586a0c7a54a4965173d2e348d34e04695c4b516745df4f4e5ec638ed2366e266ed221d

C:\Users\Admin\AppData\Local\Temp\gAIE.exe

MD5 9027b9b1d36fe4c0add5e2195b582745
SHA1 f3ba5c4f5a18c1901face30bf379f05f244c9fe2
SHA256 27026934334b5199733ded73d9e2de5ed39cbd02dd5031bfad432c80d69c5afe
SHA512 56ae20a0928e1fb8bedf3ecc3ad7badcc63bad244417684736232b046db5a8a9f8b66c764502b2068bb87244652bc3221bad25c8bdd3a88f129a1ff53a91fe66

C:\Users\Admin\AppData\Local\Temp\kIgw.exe

MD5 cf13054566fd7a4fd3b0105303ad0e89
SHA1 f4291e4f44f91c6663cffcaadb813ecb99880708
SHA256 3e78423aaa86d7f6557142eb4dca2a537f8a0f0d3f216cdf765279b75ca047ba
SHA512 d613b897c65481aad8e5021158e129fe4e3deac4c3565c90b85d83ff320c1132067526fba5ad7614c4574707bfc11cf6d86f759fa802509b4d376ae0ce456395

C:\Users\Admin\AppData\Local\Temp\iEoq.exe

MD5 04405a7af259a91465b42c01ae083c9e
SHA1 a55a344662668061be0b65e18b81c38eeea3dc6d
SHA256 298c94801531ab7184107d5775add6925d74fd9c71cea31d53c0d01747c0305a
SHA512 bd38f9b6442dbcdf49f009591b37637650ddf5b2ac70d036d5b6e095d7878a333aab5a803ee9d46d0026528b7f36a42e0ca1314d6a0dfad67ae000c4b75bf151

C:\Users\Admin\AppData\Local\Temp\Goky.exe

MD5 57e26dcf8b5b5c4884da3520d5417082
SHA1 775e936181f85c5c3462178da1afb67665d392c7
SHA256 3ebe0c5f5b045190c1bc7bb5c4c6669fc3bc52350d760194af2978b45eb27f23
SHA512 be52ecc7f7fee522992d28df6518d4509be3427d44c2e405754b620d500b97d78939632699406e889e1d2285dbb18aedd31f8fcb4cc33af34f481d884f9ea0ce

C:\Users\Admin\AppData\Local\Temp\Qooy.exe

MD5 35be51fa4f934b3a7ed2b71c78d19551
SHA1 60ca74b35e8c2a9ca7ee9d6e11c3274ad44eab02
SHA256 12086ae6f68aefd5d658ccffae542e97b23074e821939cd58927c65b4bc368ee
SHA512 03e7c53959e8be115c6c09267ec2fe32ebdbc62bb1dc1a5354c64903305612b5ffee94272b553d9eb71184a2814ae9fbaa2745e0026c1a376f12dfd8e2e1002b

C:\Users\Admin\AppData\Local\Temp\eogA.exe

MD5 73772164a7859b2b1e2b3ef8c4620884
SHA1 149523815bea73148494857c52a6e6132815f331
SHA256 7041b475053273fb866fad10774b518dba97d0e0456a0722d2db6da1cc1f4fc7
SHA512 a94f3c67712b3d4c9c9f52f33fb1c157f629bdf7b36aadf1bb1115bcbb92323c9e0e25034a75916a87aa68b301c94e1184fff64927cba5877a0b0449e30e7739

C:\Users\Admin\AppData\Local\Temp\KkwE.exe

MD5 6eb363a958a460b36cae734a7505feb5
SHA1 906ff5ce87a75c499976ccfc41d26e0c4f220bbf
SHA256 b2acb55c0691e376694a26154c4ef4f95866d10fee3ca362c9ac9d4190ec580a
SHA512 0a7348a17cea27d4bd72b57ff2157e3a7d4e4bb043d57f338e36dc7cc278e21c5abdf233f8f2465ecb79628bb981803250effbd6ac7a4e056a7082dc1aa1d812

C:\Users\Admin\AppData\Local\Temp\cQku.exe

MD5 5c4f1263a056877af72c65e1c1b74732
SHA1 68381a4fea6ec414ea966039c92a78e320737be4
SHA256 bc82ef5df729d085ea49280d8a72e0947c3314bb201f110c90c905645d02e636
SHA512 b0cc2b5f3eb0960af5b75e3dfbd1b57ff8ea5b1e3797f6a1f5d72d96a23bd4e25bf34bd3bbf46f0d23d0585d283f64726502d6e925f95496a9c7ab4887cbd14f

C:\Users\Admin\AppData\Local\Temp\MAQY.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\yQAE.exe

MD5 ce342cba8d90b874096a2d2bd6aeee66
SHA1 5d02f363552abaa48e1d09c324310986fe011465
SHA256 1fab2d98c3eb8a735dcaf517ffb7c0133599e94d6cf718b5e9dcc27509ceced7
SHA512 910d8ac7fcbcabba5065ac52a51bebfe0e8551cfb2a32f97ecb689b88d6244ef4c166d2eeb125bb6361fdac9a86e8bb23aedb4e511ccd96bdbd545ec1c6e6e29

C:\Users\Admin\AppData\Local\Temp\ocIw.exe

MD5 acbe4ee6d588611251e93fccffdfbf8e
SHA1 e3a2011219e95bdc7bce8dbee9e2742915555c62
SHA256 fc885fe7fc32bbeceb095e8f037422fa80323965ba8c41a6ab1928f9394a6660
SHA512 4030e5ee978b653f882a7f47e4f66bd14947da7737fec442d9cdfc5a2f1281199a69a59bc6af11c774efb25b143bc6434fb8a9ebf02be11341fbad484521451a

C:\Users\Admin\AppData\Local\Temp\kAYY.exe

MD5 1236d3da9141335f7a6407d8d6a1e0de
SHA1 af98d0b437ce10d020f7852f320b0d6f96e815d1
SHA256 d8c55eaad4e3daad3d22d5f96330324c653a4a3232fcfa918a6ed24fce44eb9e
SHA512 3044f2158fb315f928549ec48149a5c8662e6ae290713370d16e7fcdfecd3ca8b957320c1ffac82b6f689c8777da12b2829729ec4ee1465b082300cc20db6dae

C:\Users\Admin\AppData\Local\Temp\UQQQ.exe

MD5 240f903eb4aa5a9afe63fd935ec765fd
SHA1 5619ed11e134791c03e86f65ba6b429dc198fe0e
SHA256 ad20733c5dc5dddf71a589c5a2fe783b0b7254b9376587a45d7bbb2eb6a26fd7
SHA512 c81caac25afcff3e79314e9d986e12754b2f392de4061d797ad5b20e2bc062525f2b8819b35d118a23211e4acba50d902b047344e4d5c2ebbc5c0bc00816733d

C:\Users\Admin\AppData\Local\Temp\cgIq.exe

MD5 a3d64310f0215aeadc10e029b1be88a0
SHA1 7cda47420588db431b78d1fa673ce67fac38914b
SHA256 1292476a307dd1c942d37564e0da0d541749f37ee8455dc1086bf679170a4db5
SHA512 f31d3acf5fe956179fe31862d2b0690f347152a0091da2540a4365b51dee54b1e79d9ccf0e460c9808d2c5bcef2c7351496623787e473e8323e522052e461901

C:\Users\Admin\AppData\Local\Temp\EcYU.exe

MD5 32860a498d81b7959736ae207b28ee89
SHA1 9fbe1c0432e0732f602ba90f0f8662b395cebab3
SHA256 8fce0487736557e6f5d4dcdd8cec9e82f8d02caa00cbdcff058dda2fc15af57d
SHA512 7fe251ff4d89d3c4b2d348f6cc33285f37110270ac4b38cbb7cccc412b83c4669ce534a32aa71cc5cbc8b0c71d4f36f1fcfc838dc1322fcf39e961cdb58e1af1

C:\Users\Admin\AppData\Local\Temp\awoM.exe

MD5 904f49bb78047606aa05f45e67f159d5
SHA1 b5ee08221fe48365f766a81c14f05525a0e86fd5
SHA256 02af944eab7bfc7646c043f217c3d5a2210522a77ac62c9216712ff09fc03037
SHA512 5ec93c5f003b1ddcacebe28260c6d026c857430c5e282336a7d5e39c6d8ae8f3162e2a9d5d4df1f87db4fd03f1188b31d5830aab7d15bceaeb16abd1639c7ac5

memory/544-442-0x0000000000401000-0x0000000000540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oAMi.exe

MD5 43824bf05c22d6186732ef35df1fd558
SHA1 e4f5f02408bdbaadc59dca09b8d48f132239d4bd
SHA256 0ede16710e30fc3f6d7d4cea8bbdb7f00247cae23399294a6920b40f32397067
SHA512 b17b228e1c94e29bcbe96c896cf0c1e652c644a2fdb439ef299d0b1f1d0a78fe8ffbc1b6d4e61c7c59e8e4e1020adac2f50bb0f2e2d418d0a2a9d7d25f1d65a9

C:\Users\Admin\AppData\Local\Temp\QEom.exe

MD5 638ee97bcc714255522c8d8230f2d5ee
SHA1 ad58326dc50ba9699747abb9af337a751a466cb2
SHA256 5c854be81ddb38ce04a2e0aee8b502ae777886ba0289e6cc4f4463c448cec5f8
SHA512 3eef6ede0c002b97f189bc843ec71455f9ecdf6853da5dd78a5e1613ee3509ba9cb1b70630c89e606abcf57dc161f36da5a62ea6183f64518d5051cc49041942

C:\Users\Admin\AppData\Local\Temp\oUoM.exe

MD5 063efd8e2a756e4d2cda3552e0b9c893
SHA1 828270eb7d1a726218fe32816febcc235f8382d3
SHA256 2f8d7cd71e8aad11dd128a46cb43b7e7fd67090630351507f5f4571d9251daa0
SHA512 2c9959c1f690c19ef7949812d2ae8dfc73ed784bbeac2a0167052468e4651991962475669b1bcb351ddb5a5065cee6f23f79b090a1821aaabf5d02cb7d892df0

C:\Users\Admin\AppData\Local\Temp\QoIq.exe

MD5 cfa6e40d29fe10c3c2289bf97dcfb85a
SHA1 0291a59cbe1ed82244d9d7b06e70e03a85784474
SHA256 67e425af8e5a17bdf4f3efe71960971f17d16374a38be2c5811831199499be3d
SHA512 9f2dffcd7c9defca97b273266a9fddb0087a6865ffa89bd460f0f20fc10752097b06e5a0398651958ba1aea41bc317350f57baca2100c2b8f08c24705aa129a2

C:\Users\Admin\AppData\Local\Temp\wUYA.exe

MD5 80a023d93e5b46c8fa04079471d03fb2
SHA1 a224b2aba078146c90bc42e56f66c8deb9ee30b7
SHA256 6ea602a09fe611f74426527713f9419fa575da71a88e4ed23f8ba0c005994711
SHA512 1e3dca1709f58e966da02a75441d7e72334382e61be8d2b20cbd3508b87580f2c6e4cf582d380ef334c17df8c753cdec2e3806c706f4a7bc3f064804b16c50fc

C:\Users\Admin\AppData\Local\Temp\iAAI.exe

MD5 940639ff31855bcda4b674e71fdfd320
SHA1 052978b3d8317003caa2b43181e94281d431af90
SHA256 f964caefa9cca90b879d6ba94345d7483229a8f3c1e22402eb4cc85e1bac89c2
SHA512 4053ad9f1c20b6abafca25992086192cb3739bc8d5ce099dc1e0f9c7c64ca1ac74e85fc2c62b7bf805508fba44b05ee7f675d69b401a74af8c957e2920a93915

C:\Users\Admin\AppData\Local\Temp\GAcQ.exe

MD5 89581fe6a99eaec5c9730b649c741fbd
SHA1 b4bd032ff2ab23817f665a0a06e6b1b1eed53897
SHA256 183fd826c601f3f18ceedf7a9e502e987ee245f1daf5d1ce128b595abe5e408f
SHA512 798c40f726ee44bd36e7bef9895326acc53edc22d8ae3cece6a40595688f61e60b345dfb787485d6e41d47332d43acd809c57756bd339b4b146fbf02c48c1e82

C:\Users\Admin\AppData\Local\Temp\cAMO.exe

MD5 3edc81a7deb675621231745872bca326
SHA1 f2e412cdf2ac3cfbf6f9c99398890f06e74fdacb
SHA256 033c4aa60728917eef70dc44907b127a34c8ea654e05727746102b132dc3f6e3
SHA512 a7521f2b467be23595f4d7915208e5077666ba4ca4b428e1969b1d1b8c454debdbc2033da039fd48270e093da0b64c64863ed68bbe56f49262ceb64e60515eae

C:\Users\Admin\AppData\Local\Temp\CYEm.exe

MD5 cc917b20c40cd1c41b3956177fcd24d5
SHA1 58bfa47a3388533be3023a071acfd36663ba1623
SHA256 edbd41c514131781ee64a657fb0075b8ff79f154a23ffae67f5b88bd61c46c66
SHA512 27b97eee240bfc2eb7dcc7d8a1470ee3b931a6a1b0d80b1e064cfb12646aec9a6d259bd30e82f67a3c3d84c6359a8b697b45a667d53ebb5675a3d90a1d1c83ad

C:\Users\Admin\AppData\Local\Temp\YQQC.exe

MD5 c21c0321457418ed78a7e8b6a69a5a54
SHA1 52a520aa7c693e734a1a486c96a0ecafb943b917
SHA256 d6534e22d1f1d78e91f2893facc3384ed0887606022069909829b387ba98a055
SHA512 22fb068b56ca249452f217fc0c0f8e62d2746279cc968698e4559b2782ba31a5410107689e58dc10b7588510b685330bcf2d70c0794ab2c30e1193a518a0c8ec

C:\Users\Admin\AppData\Local\Temp\kIAM.exe

MD5 3eab1241e16e3e6caa20116ae94492fc
SHA1 cb9bc8f21edd2a51f3ce554e1e300d6fc621a294
SHA256 fadc6d6917056c69c24ea14767b5c249d97aea37491f5d6ba2135cc58d54f16c
SHA512 74b8f4dfb3b81a79f39fcb18f7e4ab96b8a24a90b3a4412e5b8b08a89aa5d03298501492d2165ad6c1c3bf1566a98e8c919afebcf8f7f970bfe7f431574dfedc

C:\Users\Admin\AppData\Local\Temp\wsMC.exe

MD5 17f471337bff844c074f639353296c3f
SHA1 1137f372d4253e9c43ffc7e85b02fb57e80b57ae
SHA256 260b22bea1509fcf6d0dee56f2c0b531fa6b74f9c985b525925b05c521ea88fd
SHA512 bd56e91244a5d2a12a3a38f993661485ef4949a20a9b14d89db77a55d065bfce7a0da51aaa7d31f157238f316766aa4aaf2b5e04c0f127505edf81429f0e48a3

C:\Users\Admin\AppData\Local\Temp\Iswo.exe

MD5 40dd46438cf06795d30f4580ee259420
SHA1 9a0f96e3c4b91510de3ed9d05a5d39276ea669d8
SHA256 dc436da3625c04c7c996ec6c0c38bf2a92a930fd00660f94f1c6ede336b941d0
SHA512 50680bd13cf675ec7f1eff5b3d4d349e8d4e0de05abd301637d2148c419b91b38de53aeb1659248565acea6172d5d092d6f2a05d12630eb7b79d4c048207238b

C:\Users\Admin\AppData\Local\Temp\oUco.exe

MD5 d4e2e0ad82a1aabe14dc38fcd5523761
SHA1 40e1b5a461b9442ffa93dfeeb18b8ca3c0ca8df8
SHA256 521e5878b4a5c5c19cebf8ae8f18e738e840bed9a2d3c669c175ebc44f0ae971
SHA512 5120ed51d81c1ba3e634063767bc6a01fd5b9ccc3de5ca9f814783436b3f920a4f492509dccdfbe124a5becd4e0d897dc7cdd62fe63c80ca29ba64d5d7f0be67

C:\Users\Admin\AppData\Local\Temp\SgQA.exe

MD5 b99fd69c291a50725fe1dc22cf095d45
SHA1 fe113fa1a4ff8f3e7d5f0c55c123794edf5494b9
SHA256 42760a41ee6a3c9569d6da6f3ecce731ebe6261df51cb40e5b2d1fb206ea3375
SHA512 e5245bfd4494ecc9516470c84d0dbe58621abc250e00c825e6f583c78e1e9dfc66a333ae42e58e6858bde420ce396107b09306d270bac3b18290ccb60a6d3e31

C:\Users\Admin\AppData\Local\Temp\WAEG.exe

MD5 f1929069a056b3b5f1c33e71bde6c1ba
SHA1 daf07ad9bef09280c548ee199209c0e292075f85
SHA256 3275bf85846260aa61ce098fb4684e95b180965af361cf45bfa7157fd287b853
SHA512 c498134a7f45857a152a390ee5ed403bad20abe72e78ffb2d039f85e6067cd4799deaf58a93c43c72d2b36da7fe772d4b7411576de2fd51123e9cfe9ef7576ff

C:\Users\Admin\AppData\Local\Temp\EMQi.exe

MD5 47fa0d08e1ebfb8c9836bf77e388aecd
SHA1 4473d129e6e2876ad321500dc9fa48c99457ddc8
SHA256 4f8946c12bada5fcf7ef1a2108bfada4104bc4553dc07e4b393c3d04f49f7cbe
SHA512 5906f9e3e07a41ad67705ba710de45dc2daa3da2926ce97535c0f272926c8dbf777758e1c1e54f77cf609ee9cc27aef817f5251412e3631e356220223ca91e39

C:\Users\Admin\AppData\Local\Temp\GAcM.exe

MD5 550edeb114efe934162c81c04ab6bcc6
SHA1 26aee9ef6e7745aa50786dcceee3ba63ea058d34
SHA256 c3f73afc9260fbfce79e8ca2ebe8815552b0c296f931b4b3b572999c06d8d7c5
SHA512 b9b82debe35ac2292a470e07e6dbda7a85376cbc2b4e945388780458b87a59080413df6203e8b41ef30311584736225002aa784cbfb4427f9450ab35adbcf8e3

C:\Users\Admin\AppData\Local\Temp\Assy.exe

MD5 20b1977482cb67a11224ff857661b8c8
SHA1 0299e837c2ef05a3baa99306f9893b1d601385d5
SHA256 677ffc42ac8fe0c62658cb06d1b7b6b3fc9e0f8fe323b0174ed04ddb85d88bca
SHA512 e8be5f5d4ad8ad17f4b7ab80db4ded898564c8e3d0cbe76e2ca9e2e36160ad48dd421340af858009d1ae2d20e30b86db03a0d529366029056eef50ad34635d1d

C:\Users\Admin\AppData\Local\Temp\GYoe.exe

MD5 255444a8ff6750c6a94c5798d302b838
SHA1 8a6e99d0706d350b4bf8435a2a993fa53f40ed99
SHA256 0fae5a89ad16b95763494046bf121e10950c2dbd1c1e0dfa0a66e8c2e7fa6829
SHA512 7a04030a1ea3458a66505465eb9fbd2f434c62dd0208e4381502cd285818c7b79e8fecf1f71490261b8641d610c429bb73b6c280e0c533ef23e13d8113329266

C:\Users\Admin\AppData\Local\Temp\YMQY.exe

MD5 1b69ecdab9a1996fd0aa3af6d015f0e2
SHA1 7652a6cf9ac1e9291aa12548dcbbbc4c1cb1b1d3
SHA256 fc86748f6b85779c73ddaf2aac4ff96cac6cd88cb2ae8071fbc95f39ed44a11c
SHA512 2501df6aafc1bed3b1e974c8425bb50d34923c842c9cc66e393c9e9b9ba6821a46e528bb38d79747a8ca0508ce8ff8afeb4d8a751305b5369ca3a41522b283f5

C:\Users\Admin\AppData\Local\Temp\eYIa.exe

MD5 f19267ce88d517e2bdadc0c9f2b38a01
SHA1 b260918ad53315d19eff37966045ac2ec26571d3
SHA256 52d24743d063cfe59ec71f4e815e7058e9453b8f75082af66c1a3eee99f740d0
SHA512 b2b8f2ab715d9d05a1aafc61dfed6c6be461e250c7f4709d5a5792b4dc85fc25778661a9c1f3f6d29fed28c3d4b27cbb0d5044e0892023911875e47d104bc23c

C:\Users\Admin\AppData\Local\Temp\GEoU.exe

MD5 2934e04b1db2c11d2a1a15ba72650664
SHA1 567395bcc4031ab681df7782265e781a0edde2c7
SHA256 30199d675971047aadbdf8ff2fd468c4cb8e725e4e03a7ba5f32a1186134d537
SHA512 88c3ea3896ebc55d1f3a0e9b1e431d46f729406478c7a4d02007ee708856ecde0fb026d6229be4d2ec255b52f81142a79372fbdcaaccfa4e6e9528ef097061d6

C:\Users\Admin\AppData\Local\Temp\YwwO.exe

MD5 9abc8cb510fe8c595640fcf4d3381dbe
SHA1 09682cca9d1b989458eadcaaa311cce066cda714
SHA256 5d5c30db523b134df0baf73ea9bfa52eb743b7a861cc8107f7e29bf77b429a81
SHA512 8d49471bf2f38882bb7f73940a2e0362eee4b90ff659b743fabec570b7d1f6f5b77ce38b643ff34f17fb86f5ec9f83d28f71a096cfe511751ee255c760d17be1

C:\Users\Admin\AppData\Local\Temp\QMEe.exe

MD5 21e12382259dd8f31f2dd66e9299e11f
SHA1 347721122d95fdf862b172ef593104045d6ad104
SHA256 0e23a918e5e0aac3a59f515fbabf86d396f23437d84c6c76942793eae3363576
SHA512 cdad58cf472d8ca252629bf6029e2682f796e430d77bc6ef9416c6e0a82bf318e50bf672177dde490ecb488d77f9c1b3165bb12773d08ec2addb195d2b93474e

C:\Users\Admin\AppData\Local\Temp\yQks.exe

MD5 98fcd502728ca0c6902cf03bda4992c0
SHA1 267324ba6f8dfad12e43ada62b03d5431e1f1fe8
SHA256 39ffc7185542f142bf157fe95559569d2e51f804ccdee1d4bcf776d5742f5823
SHA512 4242913c6e396d1ac2b94c2e1a44d85755b6237d6ba4d105094f4d79e516c367919391ac14c07d6a78d796eff6c371b5a23f0f8f240e7ed4948e18b5996512dc

C:\Users\Admin\AppData\Local\Temp\eYgS.exe

MD5 8172c11f61e2a9c02725869256da465a
SHA1 c96d388e98eac2fb72eb229783d22a3efb7d1f45
SHA256 75e558ae1631d994db845103c802d3b3f6532adff9ad29afc42810c198fd9962
SHA512 72d4bdf5d14bf83b3f816919174d4209ac9f5feaec0b837e20144720b091f471447b792eb3a0cfbdab42bea72403d92c1f05d22ce3afb8f6d9b16c0cf41d7058

C:\Users\Admin\AppData\Local\Temp\wYMY.exe

MD5 f10883af96e8944aba4b4d60020a0548
SHA1 08e58f4e7ee34cf0a25af6e30f798e95e8d329e0
SHA256 c7b420ec00bb1fc27b916229f96529c71481ed33c6cf6e731438182b5eef9d7b
SHA512 5ac58aa874f6768a421ccc1b8b1d0ae1b6c8b09c3fc3923c50478f90178c2e96f2484b4d528ddbd5f56a80de6a4f2749f06a50cb96da75c8e364b40661da3ced

C:\Users\Admin\AppData\Local\Temp\CIoK.exe

MD5 9ae3abbf93ecf3a00d5b02050fafc129
SHA1 9699bed35280fccc8457bbafeb6656bcb9b1c8fb
SHA256 c8fcfe0c531b51f1e3f7d2f6637b20854af2d2819942a6e54cece5c18c2f895c
SHA512 9b8c2f7cf35ab7c64b28248c376ba2a9599270df6ab00f09f0769387013cffd952a99560227d8c6e307aa6044f034f3f9aee0a91b1ea39500e1ce3c9aaeb9cf1

C:\Users\Admin\AppData\Local\Temp\YIoO.exe

MD5 c2204668e4897f95874bfb484615808c
SHA1 0b638aafa31b157223b9ae7b3d366e3f1e25efbe
SHA256 e26d3834b9644498a723190911fd5a6592a4f8afe4b068afa524531d46fc1538
SHA512 cdd923c8a7018e04ac1ecbd65818eeac15508cec056b7a4fbb8617af5f43afbf6cb2f98e083453e5faadf3f2c598f85962ca77ff16c8b1ab1352f33c0fe98bcb

C:\Users\Admin\AppData\Local\Temp\UAIM.exe

MD5 ccc8dca9efd0441adb76888428f75df8
SHA1 4a5746b475b23c245d233bdfbdb5bcef22a851f0
SHA256 72832f6e041a1390bff838466b87034184ebdf774c9c15d809e4ecb3d6363fcb
SHA512 dad66b837006008329b25975f3ba49c6ab18ca4b5ba774843527699f534d57d3ab1c4b87b6901e5b4c62d98e7c46445d94b597d571f09782de5b0f56d4e90cb6

C:\Users\Admin\AppData\Local\Temp\igwy.exe

MD5 2019b30d9f8ec9de73cb70f11803b989
SHA1 826b21d3eae044d73623322dcaf1050b4801d590
SHA256 dd58abdd970244d9c9429739735c30d438b9efd5d077d2dc60b4da2e40ece687
SHA512 16bdd0101a153bb7997f7043e0d73639c10b1a93234c85a44b8ca673d94a722922e0e754ed77587b9ed798e9ff3649c475cfa874fc259e267e79526905c50923

C:\Users\Admin\AppData\Local\Temp\WcsG.exe

MD5 9340983f84df368c4c89e62b4224d9f0
SHA1 99c82f40b205ca4d18972918d0b99a13eddf3c0f
SHA256 6c39629c7afb1b7ac715ebda629f7e455dc16db43130a1ead6df1115b8c70c32
SHA512 5dc5b94300bfd3c420042b4af0d1edac85c277b32aa438f699533aca08d3d4eebb7adc6463753f66533b91f9c5942a6b52674deb29478c49ae1a2ee6c3ba3372

C:\Users\Admin\AppData\Local\Temp\CUIi.exe

MD5 01aeffef32cb3004df3cf14da670d2ba
SHA1 b455796408a0e60070048bf5da255559b9143844
SHA256 7d587f74c8a47ca86c648d386f757f0d08e758f22acd33534e894bd858117df4
SHA512 14f97ecd8b68bd0153d1eb0bf9b5715f5267415c2fe719deeaad06bdd9ced52ef770941ec21c384bbbda5be6026d3510d284331fcd3af7d3436e3dd73850e5a6

C:\Users\Admin\AppData\Local\Temp\MsAC.exe

MD5 2fef49a3228fd1aa1f39ad3843742941
SHA1 34cda6e7217d2477b0fd8a69eafbf884d5837966
SHA256 4c13e5a2e94f8d1a30bcf2e1da9333b27c98e9c8e2b0edaa266cb046a0e25318
SHA512 8f32cfda9af48d9f47dff65c2c4726193237cde2c1d0d834286170462cf7f4937a40e79bff2a0bda81e817a53be57347db1a1e764d653af1fa0836a4670c66a7

C:\Users\Admin\AppData\Local\Temp\SYgc.exe

MD5 046529e9087f90f1f6a29a2fdf3d36f4
SHA1 cb78b11523450c68382ad28f55cdfcbbb505ac6d
SHA256 01a21b19ec8f4bc0e395f289998b678317ed11dbe720a08cfbe891565b7de503
SHA512 c432478c0e19510788ec3cc0d9f198a636d3e31633aadc5d4895d782c3b2197221864ad894880a4dfe8c8c318578486cd5a95475c11790fc3175aee49bdeb5d7

memory/3908-976-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SwIi.exe

MD5 febcb9c28fb08873db8d129d00d6759b
SHA1 82eed382692a74d12786090a6ac3382bdbdf5b67
SHA256 1a56983d72bcb5e1888c2a8b77ca7db03db01f86595baf697b1e3428cd6aab5f
SHA512 624994b0c433a6e95bd2d4f860f957af0fb3b7a6733db43f28a59e226d7ebd9f07ca9a5d428251c39ceaf4d77d8580d9c79666a93538b2bdeb8f93224d88ab17

C:\Users\Admin\AppData\Local\Temp\yIkA.exe

MD5 6c45570ecf51df730ab9173932117104
SHA1 9423817ffc39f6d2d75292e548ddafd02629c461
SHA256 700d064fe67cda738c773d00c990926a6329a6941749380caf20fa64a05ad762
SHA512 17e85f188a021801eab6a6df6ff962632d44f6b42c6d36d9110d3b07654f52706f8bc406a44fc4cc39e01759fe3d39c918e3f3e1e2e127eaf9cf03a9d2c338d7

C:\Users\Admin\AppData\Local\Temp\kggs.exe

MD5 efb03b6b67f75e983e4fa3e8acd7117a
SHA1 273127aee5b72dbf66fb065fde64f896c60427c8
SHA256 534afb5c9e2582cd16dc0a75d856ac1056cbd1498fbbf55dd24ba40df5f62dc2
SHA512 0698ec2d2af11a2891d5221b2fa8044305d90fd729329192477aded05983d6f27f5e60fc8dcd14d139a990be695ecba52cdcfb25dd761184828755ca015e1085

C:\Users\Admin\AppData\Local\Temp\seUU.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\SIkM.exe

MD5 a8501751a2f1062cb4429f4ab523f3bb
SHA1 da7e1962ec09ac933bfe3099d7ce78013292424b
SHA256 116b4d3d45161071290f88aaf6343e9022d08b6f211b2702e05e6ae720f70491
SHA512 6e598e0f9533799d572cd801a9846a97d80767bf9eaef84ac0c9ef09fd008a887e98a08b8dbb81247dce09cf6b726b7a1fe64905ab4e73a52cf78996ee301a70

C:\Users\Admin\AppData\Local\Temp\gAcI.exe

MD5 2f4d53a7e8b12800376f92119ca4d011
SHA1 0bfbba89a8a7e279ff23ed6b0b423216c84cf181
SHA256 ff5cba42818e2a03b276f0659defed1a2773d567d7c40e163c077506dfb98137
SHA512 bc4498c7fe0fb3e201bc71502bef6bf98b993f1d360412901f54c72c70ce701dbadc796c1dd08b7e813b4c2a5a2d082663168046d4f70896b286047e4d433830

C:\Users\Admin\AppData\Local\Temp\mIcM.exe

MD5 7c4e1c1c453719ea6736a3652df3ce58
SHA1 a4ca30b0bb9c0980a5ce32d3f116a3cf0d29499a
SHA256 fcdcdb24ba691d774a68b6c8c56f9e4b16a9ddde2a9c4b34856831dc250ffdad
SHA512 198baa761e16719c4ee1bff093d425cca515e96ca07df19cf40bfd65efff66327e403dd4c04927604d105172606067e19ca776f2aaa3bb41f118a78568d7049d

C:\Users\Admin\AppData\Local\Temp\CAQm.exe

MD5 f5e4f452b9660391962f264d7bb927e8
SHA1 8866ae545e3b5f5efc80daaaadf86f2afbe597f3
SHA256 b9722ed2e3acfc9e095878d6a03d0dc719e453ab392276d8171e0552437ca487
SHA512 c62bbd8ab591a7369b524d7657869363c0722fcc1887bfae4e088bfe8d8b217f64db61cbcf7d231be836848072415a376c4f6f8e6a6f71b88e4f2bd3bb24d95e

C:\Users\Admin\AppData\Local\Temp\YIUW.exe

MD5 fe2c9ba2be825d896a81ac1ec44ab42d
SHA1 849356a2bf31aec8dd38e06423b16a63f5099cdf
SHA256 501dea4cc89cbda617d58372ab193fb92f5f6a3a6afc09d628b9f79b13bacb28
SHA512 5f9cb158c632dbc6990c36d3a7d0c8b2d2526368d64121c7a08e320a335ba644a8ca383738d5d8a5edcc815fc9041e3e0e5ce687bc12ba58e3c0478c1f6329b0

C:\Users\Admin\AppData\Local\Temp\QUUO.exe

MD5 e6146d224a9e6bf187fd52d603632f94
SHA1 834f4a820a35c0d2bd56ad126135f5f167b557c8
SHA256 58d6162c8b28bcbd8dcc1b23b1013fb1c3d3820053893b85a5907f854832a41f
SHA512 c85ef988280fad98dd88d0042a5fd222db25e0952fbf7a09b53369c6fd76733301406c7d97f1b7a311f99665c1a88caff3a7c2e580857db61081b1720e3542e5

C:\Users\Admin\AppData\Local\Temp\eUwc.exe

MD5 524db6b5efb48aeb1c4eb5e8503550e3
SHA1 c6cbbe1be4278a93b39f2bc0b66e50074e7d7035
SHA256 080a12f70748b1183dd7e53f61d5f572016a2141d4c0919373832f9d303f2c19
SHA512 00518f5434ec11a94cca4dbf42f94f937517b911afa9836ee71b762c62eb7434adc6274261403ab2a3a987c66d4183ab1d528ff35f22e2d825f9110ca4b012de

C:\Users\Admin\AppData\Local\Temp\CAkO.exe

MD5 f917b82e3fe1c5e7982fdb824b32703b
SHA1 884110e23e02adde8ec69c10c89e0d01ae4235d9
SHA256 2ba0970cd0d430fc1a93fffefcc6f9df5dc3dc5600c4a7f1765c749ef4b71f2d
SHA512 9b6e6d06b5ede5672d58e162202d50bf4b889d6a8b6f5113da1187f5e38d5837f2287cd842c1f378374e6568e4c5cc2316634f809544851e4f9632e7bb54bf6f

C:\Users\Admin\AppData\Local\Temp\MEYq.exe

MD5 857f94331753d32f6843d9fd64073a23
SHA1 f2096ef323c57a921b7944b95553562f97e63ed4
SHA256 236fc8ecaca27fcf477dc5c38d42b34782e562829f05b10f466fdfba355d9794
SHA512 ba9f6063699a540b8e61f76aa86b0132b5507a2a30fc75afbe48a2a4d49357d98c97fd2972401a24eb67ffce439c0b2ae1f3951d4b591d2075f5938f3dac32a2

C:\Users\Admin\AppData\Local\Temp\qkkE.ico

MD5 03c62b34b94a861c4f99017a91bc749e
SHA1 2ca36583370792d9d56be7e5db98417188adf5a6
SHA256 6b1018b4e474afacb1c54331284d85fdbc2bb5e945466dcbda91231feeac5fd4
SHA512 4260811ca36c05c15db789932b24767db68b0dfa1a0590e8d4f69328e208c38693e978d892e0d229756a8ab9092265e19b0a0da132f0542f8460be54ba6371f3

C:\Users\Admin\AppData\Local\Temp\eMYq.exe

MD5 bf12ae00155829dbaff8dc765e4811eb
SHA1 b278bc030e14da7b26ef4f4fc20529c25a37e2a3
SHA256 172495670b1d41d1a00e8ba39f8be00af48d2157c09788af91095a61137b16b1
SHA512 16adb8e5217b43dfebd378c8fe9e602e05b5ab231a312ce46e4eff31f2098f70d3ce0361cc920c8ef5ee2026ad01434af814c59cdc099414f30e5a7366031723

C:\Users\Admin\AppData\Local\Temp\uUck.exe

MD5 ee562b3a9137d7e123090f2369917d7b
SHA1 3586c7e605ada8e16fe0fcf831020a0736b15dba
SHA256 9c3e09a9b5e16c78dcfa88f50a708f7b408019173ab55ddce295a58ce0215875
SHA512 807ce91bfd6eff33019e771b8a26591968de78ff51eddcf3bfabbecaf23fbc112d8417aaf9adc357f82c5085f7123cb65ce397bcc11cda4809de368c525c3317

memory/1172-1198-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IMwU.exe

MD5 897a313f4e5d6d01ae60e49adc949eb3
SHA1 cdca7421fc45054d155ba8e8b3cc5fba10883d53
SHA256 e2f5fd23464cdbfadef3e92aa887e6884978e74fee463305edf5a87c81432f86
SHA512 5330b2d3bcbf5ac78933dbe1e27433e5d8756654727af5a4841f705229515610430f04e14109314c74db19dd0ffdb895120be50fe400a2ca1f85c0fea2afe59d