Malware Analysis Report

2025-03-15 08:19

Sample ID 241020-ystzeazajk
Target ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN
SHA256 ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9ab
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9ab

Threat Level: Known bad

The file ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (55) files with added filename extension

Loads dropped DLL

Reads user/profile data of web browsers

Deletes itself

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 20:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 20:03

Reported

2024-10-20 20:05

Platform

win7-20240708-en

Max time kernel

120s

Max time network

88s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (55) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\ProgramData\myAAkUQI\kcAogkIw.exe N/A
N/A N/A C:\ProgramData\beoEUAYc\uascMAsg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\EkAoIkgQ.exe = "C:\\Users\\Admin\\XWQIsEUA\\EkAoIkgQ.exe" C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kcAogkIw.exe = "C:\\ProgramData\\myAAkUQI\\kcAogkIw.exe" C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kcAogkIw.exe = "C:\\ProgramData\\myAAkUQI\\kcAogkIw.exe" C:\ProgramData\myAAkUQI\kcAogkIw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\EkAoIkgQ.exe = "C:\\Users\\Admin\\XWQIsEUA\\EkAoIkgQ.exe" C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kcAogkIw.exe = "C:\\ProgramData\\myAAkUQI\\kcAogkIw.exe" C:\ProgramData\beoEUAYc\uascMAsg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\XWQIsEUA C:\ProgramData\beoEUAYc\uascMAsg.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\XWQIsEUA\EkAoIkgQ C:\ProgramData\beoEUAYc\uascMAsg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\myAAkUQI\kcAogkIw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A
N/A N/A C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1312 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe
PID 1312 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe
PID 1312 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe
PID 1312 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe
PID 1312 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\ProgramData\myAAkUQI\kcAogkIw.exe
PID 1312 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\ProgramData\myAAkUQI\kcAogkIw.exe
PID 1312 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\ProgramData\myAAkUQI\kcAogkIw.exe
PID 1312 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\ProgramData\myAAkUQI\kcAogkIw.exe
PID 1312 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 2836 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 2836 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 2836 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 1312 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1312 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1312 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1312 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1312 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1312 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1312 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1312 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1312 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1312 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1312 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1312 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 2036 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 2036 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 2036 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 2872 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1988 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1988 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1988 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2728 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 1540 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 1540 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 1540 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

"C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe"

C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe

"C:\Users\Admin\XWQIsEUA\EkAoIkgQ.exe"

C:\ProgramData\myAAkUQI\kcAogkIw.exe

"C:\ProgramData\myAAkUQI\kcAogkIw.exe"

C:\ProgramData\beoEUAYc\uascMAsg.exe

C:\ProgramData\beoEUAYc\uascMAsg.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oIccMcYE.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ImwcsEcI.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BucoosQk.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RqYEIkIk.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XUsoAYsM.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ECAAQIkQ.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ooUIgQoA.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uEIAAogg.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qOocksoc.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xGQMAYsM.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pgAwEAAY.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nwoMgAww.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jWgQsocc.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cCEsQcoc.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QKIQgUcM.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gMwMwkIw.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aMcEQkcY.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\yAcYwEAg.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fAwUkAko.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lGowMEsQ.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tigUoEkY.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qygEQkAw.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\esMsQcEI.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oscYYwcU.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "563225185-1035724934-2102995610-18982727561234706139-1558216548-13179198461564923234"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QIwAkswA.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bCUsUwAU.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYccccsQ.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aEwkoAII.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EowoskQg.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dYwEsgEc.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vaMssIIs.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aWAsYUIM.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-459075062-21265614621172421146-1452100319-112977618510346550461661022805-110584122"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QmkYIsQo.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1659992632-1269447706-1683092061741789352-20592210791487442915-1564660290134441703"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zakgAUIw.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "19645589941884126411-1438586402-453834120-132597999-1267284125-1017076672-1872482547"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bIcIowcs.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\POAUYUQA.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JuUsYAYM.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\COggEYcM.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2054754859-191415756231683416916583748672096275285950228263-18480990951889221986"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IcQwYAgM.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SaQooUAE.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SKwscwgQ.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zKkMsgEk.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PisAkAss.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NykcEQUY.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xOkIIAYM.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GsoAQEIw.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mAQoIkUc.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AoQQMcwk.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BqYYIccY.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XgQckYgI.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hEogwMoc.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp

Files

memory/1312-0-0x0000000000401000-0x0000000000856000-memory.dmp

\Users\Admin\XWQIsEUA\EkAoIkgQ.exe

MD5 abbcaf5585aa95499d97a7a4cf61bf7c
SHA1 87e7e33895483c9461f34a044afc6942183a2647
SHA256 35c29a7944a41bf313acc60f459453674856fe933e391b377051c5c26c9a5048
SHA512 2950521af5176781eb93507df84088e2606ba37a4a88f77a5c1d96059d9f02833ee58fd3df4622a082665a14c6ab6e18b9cecfd0e6f430cfd6310f5eed736bf7

memory/2692-21-0x0000000000400000-0x000000000046F000-memory.dmp

C:\ProgramData\myAAkUQI\kcAogkIw.exe

MD5 07ef92657c8347ccdc0641280d0a86d3
SHA1 06ba0dafb132d742b3423afcb68e5bb2bb62b417
SHA256 6f04d215f58634fbcf89e3e12761200e4e1e009b3b30b6c12f8b53373f191e9f
SHA512 b6ca6fe6896718e3cd403d8ac08353c62d0247f19a013f9f2e503c1f1fb9dcb733a73c5de5fecf1947800d4e2281fdad187e8eccd3cd22cdea8a380438f42176

C:\ProgramData\beoEUAYc\uascMAsg.exe

MD5 c47b3142af2d275ba4b6de64847a5457
SHA1 1963fe0a1f3481ec9282ef8a0bc4ec0166640d6b
SHA256 b43be7f6beecc0fceb54989816d2f98dd9b02fc9b6326051c72faf70349f78ca
SHA512 ae6d8162492dfd8e06b15c6076af7eae9c2809270e1d2d222931de4f07c316323f261bfbc258c78e8223566ba401e1659ce2635496ca494906dd1638e3008adb

C:\Users\Admin\AppData\Local\Temp\aGIIkkEI.bat

MD5 9390d06f35d56c3dc9a8266169841d02
SHA1 174c28dffc2845f06de0f6ab9f4d007011abb3ba
SHA256 6efc2e15f78541b86d2a161bebd00f29b9649e1a9f8e355a1fbcbea460c8c865
SHA512 e80307363e42ac7db065c8c2b2d959f9e6b427a20162d8f60787c37a32ce31017d7d4f3ef7b7ee28b7dd28eead3ff2478434197292e9745ab85d4d36a5f3490a

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

MD5 5bacbdba9af42150c27b1a182ba169f8
SHA1 797fdb039b9fdb9d271119376d50a4e532bd6c68
SHA256 c30cf61dee7def852eaa738aff1f63b6a1bc59de7f7599fa11ae685d46b55835
SHA512 6cdf90fdcab3434b2b6b610b2daba58b71feb8f1394c89e6c6f9c424fe9351d50660fb4fc459b52352b77fdf3573edd4f13bff51078605972e711927dfae23be

C:\Users\Admin\AppData\Local\Temp\QIsgwIYM.bat

MD5 9e2704e70df66c14adeb7a2ca7455a91
SHA1 01ac703b28283c26bcc6af4880e574cb67861ccc
SHA256 5f3b019a9e9e59d4123f224c214383476ac594fd4ca8cde434fb8595556d53ec
SHA512 afae0a8f8d6d4e43e569222ba6f87ef85252c34d68a61f00d2014fae78e99f8a916beb74bc8db19bb0dbb089cd789fe03e0cf423ba71e5c9ab806c591fce9e69

C:\Users\Admin\AppData\Local\Temp\oIccMcYE.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\SgMUEccM.bat

MD5 778f6651eec78449348f734aa744ff01
SHA1 c79bda89f8a8abf708419701d2188f67242e09d4
SHA256 8b733e9798b1314bf38fcd0518f3c4f18ae811745e358da85c455642e6859184
SHA512 bb20c4ee21babc0457743d20a8cce121d531b1c1b5ecff484f195428c03cf7f9882e7649e97c530d934ea5b0935c7aea8b4683c666c45b8de1959e63863d53a7

C:\Users\Admin\AppData\Local\Temp\FKMwgYYM.bat

MD5 31e5fe55d5de24545f52e3036bfafe4f
SHA1 bb138cab617a72911a46bf7458173f24140ff97a
SHA256 bce46a55a4e54e4264719c06b31c905b208e53834ad103370ca3781b3513546e
SHA512 313772069d789978c109158403fad436cf11105fbb0017cfcfd85152dcefdaebbf9d234fc97859b7fc3c9a80140eea4b5c31b3ff19cb18f330230334cb2057b5

C:\Users\Admin\AppData\Local\Temp\BwgEsYMk.bat

MD5 2011dbd6e410ac83caf11ee3cda66b17
SHA1 889f389f2a9384f0bf45bc717103ffb52d9877fe
SHA256 d3879c1c3b74e48057789acfb4f0a25b3cee1c8bbccefda2608e83e53407e61d
SHA512 5c64ba7ca1b0d4b7d35cddf70d377ba24bd3dcb649c5649d2c0589c1ac17e2b362f3daaa836de7f29aa3af9551854a4197445229f270b79b475bdcdb6157cfd5

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\XagMMIAs.bat

MD5 04b8d5398b34b131bd7b170dba0fbeb3
SHA1 af9848fed3f7c835f0897e89b72337ff0272e0a5
SHA256 2218eac498509842236a4ebfd5a17fab060866a4960ddb281233ba3ae550ce19
SHA512 ae219d15fa72043b034de43fedab93ec7374ce0643da58053c70fa2864552643dd134e8e841ae31299a0e65a12aec9d21fc16decc8cd5d0168a893a6d891ca64

C:\Users\Admin\AppData\Local\Temp\dYwsUIIk.bat

MD5 ba9e892b5a7fe266c76e568c7ec4449f
SHA1 2df9a837e000031ece3ce903a1c6756945954e08
SHA256 0c735928da7eb3328973e5797d8cc341bd6d7333d7eb3addabee2843a82b2401
SHA512 b8af859be65649b1518cbf7abf170e799b1270e8200ebc367418d5e49ff5113647869d91c846473259cd7ebfc004248ecb54dce99e1445aed9d3663526ded67f

C:\Users\Admin\AppData\Local\Temp\CIosIggc.bat

MD5 a290d634a3f2b87c767566e7ff29d77d
SHA1 9ec232bc168837d2dd7417aefe594322a962b3f5
SHA256 a033921c48d93e0df81532c21f431ca24063bf8de461949b2703676da0143e0a
SHA512 e3fb4b4bfd07f99566e0e6a7307899343b68fe526b5bd98e7f0ad6012083d07067fc9087be359b6560fbbe3de79d1721d07a3896763d17172f006973bd9d81f9

C:\Users\Admin\AppData\Local\Temp\MWQoQUsk.bat

MD5 d5cb185d42c180654ed266cd45ab897c
SHA1 5952c273a27a06116edaaaf7a371cf065ed37c02
SHA256 278c4859d97085d22ac721e8798c5e735b9dcba770a38f7e1cb95fc6285258f9
SHA512 d7b40a1f9342e37658aae6ea9b7b6a82c4a4fe665c740906519031c3939480fbb6f30a3a70f2544ce807a423978457e8b265dc4d7258c07b8a1481b33acdea9d

C:\Users\Admin\AppData\Local\Temp\sqsMIIgE.bat

MD5 59d14ec8696c8e1427165c9f38603b2f
SHA1 c0c795a7d98d5d229ed2b1295d3ce216d637c5e9
SHA256 5819e3d7c7c7e82ea0c8fd6f0fc81923541bb4f72697c1625926f384cbf2cf9c
SHA512 5b059b72c788de7871cb763bba31addb4801343c21276c320b3930463e3e15eb3c10526a9cf382bcc228fc1d78aca8c3ae7d4e216eceedb6cbd2e9e3375a5ab5

C:\Users\Admin\AppData\Local\Temp\WMIwMAsU.bat

MD5 7d0d1c51766ec6bffe8d7d94a8298ed4
SHA1 9ecf5a617832b7497b93f002b6408b0c396c446d
SHA256 8f3c56bca06e3d217572a712ef8f06637973721d114668f2ca1cca368c530104
SHA512 ac1227400a972ad87d1efa4846e74953e6b423d866e901c78214fc069bd2a8b4aa2d39919163a118e89b0ec3a62caaa3aceda948ae612b12e3104dc4200e19e5

C:\Users\Admin\AppData\Local\Temp\DkoEggsM.bat

MD5 4f3dab49fec13d65763dd7ad13e22368
SHA1 b1fce5cd7d1f529021115b02b336c37a30c4ba35
SHA256 a04e288d31ac14b7269420427abd7d13911d6dffe1cf2c686eeaec0735a8221f
SHA512 8ffade2d975c958d91263a338af5b0c940ec7c3fc58045254d948fcff37227780a9b4538033480b61eb030a3bf8369241da0523417707fd6decce06d43872a1f

C:\Users\Admin\AppData\Local\Temp\FEoAgEYw.bat

MD5 d005731d509233454711e5441c8c3def
SHA1 1be2801b8d97abb004d06c76231004b9d6dc53ba
SHA256 6276059d509bd1d2f7e44f79b8c0b57c4792772b1da99693f7987bba7f0e055c
SHA512 4336c3597d7fcc76c679678aba1cd51be6217aad5a7e6533d7440b496f37fc4fa96d1423456d33e1095d5f27ca7f030618d6f6505172c3dae188b38218eed55f

C:\Users\Admin\AppData\Local\Temp\RKsoEIok.bat

MD5 872923cb04f29052551c79087aa839ed
SHA1 55159d02f086f6342c4b4ae40bc3d7b21fed57f0
SHA256 9a26a3dbf8026372bcd8289686dac27ff9d2bf7b7e773e358fe7f8d75f126ab6
SHA512 42588bcd9a2b587da0068406daa2b7e8098973ece057446c84e61213048c3e019834c25630ce084ee2be14dd3c1e8ffba15cd7315b9d339e8a1dfe025b7ebf3d

C:\Users\Admin\AppData\Local\Temp\vYAMUQgI.bat

MD5 df464825333b8dac78761e4757ec4886
SHA1 f2ad2bdec149e8e1545bda574fad8b2d1751cfd2
SHA256 122aeaa1c16bae42a339c80618968498e3275691e7bad833d781841a3032279c
SHA512 464fe0b04864c6f3b4958cdd485b503fe76d9f717a849b18f74de46585ffba9a662834efd0bccf707f51fc36454c921150846a798cb84b39a0894ca19ad2c509

memory/1312-322-0x0000000000401000-0x0000000000856000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SCYokYkg.bat

MD5 6cd1ff64da12c03bbd225b59801eb27d
SHA1 cf46f663df01d23d69621e6388419dde6c3f49f3
SHA256 f8245fd63afaea270e50cdd107408b3e7265eee7f42dc1b73b8579856cf735ac
SHA512 194e16fda0d11326d58bc766549208872aee037a4a31d04619b93400fcc0437bdf2aad0a7a68afe6dde5a802474b46cec0bec16ccb623232754dc9226fc8d374

C:\Users\Admin\AppData\Local\Temp\myMgcYII.bat

MD5 6568e230cf92873af09c68024c62bc9c
SHA1 c606174f7942026f285f013e21470c6887fcd6e8
SHA256 748bfb957532df10ac12a81420040eb710e09ef23675f8b4683f63e3cc1f6065
SHA512 4c551dbcae8def8411c90c52ecb025828f3195716667873edaf6a39471e60a3c5f8576d0332e725542bae521ee894a4d1951294ab515d37cb7de0e6398b6b210

C:\Users\Admin\AppData\Local\Temp\QUksUIAw.bat

MD5 9de409e50686adb11406a71c308ae37b
SHA1 36a0794a5ed40aeca331e5a0f47bc88b80b45f3e
SHA256 15765a446fc58adf39b5789c34096f2023f5da64b9bc538757e5ef029d833cae
SHA512 12918ff26786c06a5e2bd0cbf74abdf55f0673ff9127a439f81d77f88986914756d6084ce2913d7dce6a7ac00a237557067835fa4a81108b22c37c18dfd2014b

C:\Users\Admin\AppData\Local\Temp\VYwYAkgo.bat

MD5 ba870a493eee0cf4139bd3b312fabbd6
SHA1 a24f841e47a542986968fc39a35067c6db5a2493
SHA256 6614f9bf0dc5595a4461680d6e97237af1bc2124b0abd93176fe975c40e668c9
SHA512 b84048ed919cca188edf49da36f983f80f1f6ecc8a482304e8fac13f9425859c1c6291897c4d3eef9cfc1621ee8c210aabbb21e9a722469fddc29b3057e5477b

C:\Users\Admin\AppData\Local\Temp\zsEMcUsY.bat

MD5 e0d5bdd6b1ded57d4afdfc44639dc775
SHA1 eb55623792ee02c6169474c3ebb4623fd609f3e7
SHA256 370a254217bb2bf909a7fa5b8cec0eca23749e3c113453fb1f1dd48a98177a7e
SHA512 67986a7490f9e41adbf6706da2ae7bb0fa3877726e3a86036523716fd47f13c25d94b4c6c2c279d55b7aa25176e5b982891112556b0179c3b31cabafdc307b3e

C:\Users\Admin\AppData\Local\Temp\XAYcAoEE.bat

MD5 7d2f01731e870023baa2244b43f1e849
SHA1 65995f7a9aba6ed1e580cd7b2d5498f20b165c3b
SHA256 2a1ae80ee9323e5315dbe6c0a71b9e8c2bfdefd9e984670f2f2a98b9622b84e3
SHA512 5ee0264def147965badf39c0ffee574eb4a38afc877f56daec5d17bdaeacf8175d30362f7adcd866952cd55879f50c6431c8aa37f9a9ac15212edba71d67ca31

C:\Users\Admin\AppData\Local\Temp\SUwC.exe

MD5 a2233dbd21e347865e2b4412fbd15560
SHA1 e50577e87ba7679c70e52f7a4ccad38027a8314e
SHA256 350adba00f3b1a18328c6ef13ef58b5b0d7af65cb149c3656d2ee94ba5528e09
SHA512 c710838826202d5623c34fffa4d93a2630c05c256d3eec00024032bfd07e7f9cfd4158a6a5303725534712b4fdcf78dc9a48cc51901fbc2b39004aef85dc8b9f

C:\Users\Admin\AppData\Local\Temp\OsYk.exe

MD5 d58dc9fa55123486838106909949e853
SHA1 6e8714190deaa55545e1f56f121bb93ba8b8a536
SHA256 7f93b3e53b803cd3db4ba1a98d68da3688bc1dcddb48db1ba23032ec97caa0b4
SHA512 aca31e2b987e999c0832e70aee11309214ec9356258bd7bc999101fed46972420e53a83418cd8f70bb36e93edfb68cdaca755dcb719600029fd8e2f46558eb22

C:\Users\Admin\AppData\Local\Temp\FIIEUAko.bat

MD5 d9130e323b6facb4e4abeacb35ee8bc5
SHA1 a1b2c797eb846bb190bc254c0473c104a2d4eaaa
SHA256 a9b4d073adaf13e4ed337d2e2c8f28fca506fbf4aad7532ffdfe0e38b5577761
SHA512 151e47c911bf88f82c620c81a3a87bb5e25e5f24a236f92a67a2fcb006e3669a9d853cf0d7fc8eb3ac06a34e8ca678a94d4569eb1f52011e61c3e64f9348b5f4

C:\Users\Admin\AppData\Local\Temp\KcQw.exe

MD5 3a90bb543978d21c33d53ce6a107419d
SHA1 cea9142ad90e71b2a51b057a58e55b8bc8452089
SHA256 d295a8a52a77c535896b3e3270b14e422b5a0ba87c9d998d726ee290d7513907
SHA512 6d3e8e33f59e2c18af65921d83618ba71a067fd768c3070ad248b05547b5ccfc8f2a165fc9ec0979e00f54c8791de93225883758f9ee94fe65aa27b45e6eb1dd

C:\Users\Admin\AppData\Local\Temp\wqks.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\qEwW.exe

MD5 eae20eb4afb6f7c48963258ca5c4ca6f
SHA1 5d288d4c2d57e8b0edc68dd81f2f82d95b8a1233
SHA256 d2b80d57c43185b6e773e42421013aba400a80eb8bcfe1c347b7dc510705662e
SHA512 1cf154f2ec70fb81c5564f71c4c4e7dc69baaeea31ea570600b4084c0301e27c08a6404b76034c79f1401b7328afbaf1dc62a38afbd6ea8214d57e021c350083

C:\Users\Admin\AppData\Local\Temp\SkIK.exe

MD5 8b1c28c58fb93e219a3994c3defaa46d
SHA1 3ffc43fca6c1bc6745714eb9c6e2aaafa06354ad
SHA256 52b1b08c228f587c10d13173ba63252183397a4fa9acc4f027c5593126b932b8
SHA512 7b206d4d3ee7c9fa27f39879f55e3c15d0d1c7c2604069c1f7dfd2888cdbfa14939cf9fa466f0cbf6853ac0b4de5e024e916ed6a6fac7976a3b894bb5f06be9b

C:\Users\Admin\AppData\Local\Temp\Akwu.exe

MD5 8989cd388f9171ad239abf600a73e4be
SHA1 8b198e2bb50ba4f9826e25347d53def2f582ba22
SHA256 26fc42be79327acad1e244cad64055cda460bc030839c7ca1aa6c6d619fcc2f5
SHA512 6cdbf18783d0b3ee6f4dcc2fe2a6c57cc551b0c4ebab7eda0f1862c19792133a5ec7e5297aadfa3933848b0edbfc68845c3612947caf1f0ec281b208e24599ba

C:\Users\Admin\AppData\Local\Temp\sMcC.exe

MD5 e02bd102fb85fbb353eb8db7b6b46457
SHA1 46be556aa84853ef8a514e1868376b25381bff4a
SHA256 fe43ee6072e39a5df0f18ac854fc62b5ae7e978a57da74f41bf9230683b3d865
SHA512 d0d65756fe71d3231bcdbbfaecc1d2935b6ab5deeaf633c4651026e35352614d381a2711a5f57eaed83ea61857c8d7c2242257ab8955651e5e0eda8e2396a1c7

C:\Users\Admin\AppData\Local\Temp\UUMU.exe

MD5 5c378211867d550a941fab49489c6fbe
SHA1 ab7262a84d5bc233c8938ec064c8076e239566b6
SHA256 d33ebc6d943bb86dcb081a0a848162005ca1d2474cd2c279f37325740b014cd5
SHA512 3c1461774ce7427a84fd8c6bf8f8ba79bbf5edf4eec2443b9bd02643fec709950bda8682c4863d10162ef3c2c3f4c0ad905258d2ed69f1d7f1d374d36ae4f4a5

C:\Users\Admin\AppData\Local\Temp\gikAAsow.bat

MD5 9a64c63298eaa33395787ed4e70e1657
SHA1 a5519471d1220a35ecbed7c08e0758ea71ddb28c
SHA256 c5662bfa657d626908f2ec69c86217b9f5792093e7b3a0a22c15086135ddcb3e
SHA512 4d0714bf06aef7952f14baa96446375e12d3acf69e298ee3ac86802fba66cd4394ef158c66c0e4e5a28e50cf5ccf12ceb6317572f42751b4dd6525278d679d61

C:\Users\Admin\AppData\Local\Temp\UUck.exe

MD5 c07e90ad9c8a667da109203f74352764
SHA1 7bd684a000315f9724c6f3d2c2b764b19a288f84
SHA256 07f398a207401079b6c7071189e92ff67b1ccc9cb8f8b4f85df28244e500a0af
SHA512 11f438b1bae1543aa82641379e594c1db430a7fe77ce064f659cb071250022ec840d869ab280144b8d4e33dbc9ef079d40e9cb44d18c1ecfd75b2ef108080afd

C:\Users\Admin\AppData\Local\Temp\swMc.exe

MD5 8a2c23d3b7921227d8229a51bee35078
SHA1 c07084ac84c2ed85c38c90941aa05f1b22d2b8da
SHA256 a213b668171b4d38b6b64312097f70f19df7849894d4854e6c88c7550b36caa1
SHA512 5ce6e3b831e652882b48d307dc0b48992d0aa5217ef152ef89d3faa85664943fbecc24a64e4c7b3ef39bf0d3bd21db52a985a88eadd1eb2eff746e2a2904b46b

C:\Users\Admin\AppData\Local\Temp\YIce.exe

MD5 ce548c4c60214056416e7a6486a15db8
SHA1 40c7e35dd6b8525035181289f4a6580ab8733278
SHA256 6524aaf96222e947d3fe58730539a24b25bf51cd22a48c6bc1da8a9221e722e4
SHA512 ab10c4c15e6c3ee2b1741bc7636bcd8e53bd7da8522a100fb30b4ae2480b946b0b4a0bc5db0e5def49c5749e13344246c174f0435510b9e94663c0de211f8dbb

C:\Users\Admin\AppData\Local\Temp\qsMW.exe

MD5 78e3fc34fb81ad3f6fad1516269769ff
SHA1 cdc0380e9710cfd690558df2156e8310e3ea8e5b
SHA256 cdbd820c94dd0c0b0c187afce1e514481d1f929d47027eccf39215de32894ecf
SHA512 b6356ff04ff06a40a0c29efb4caed28675922396ed66d4a1956d01104f919fccd3b58bf064dc247376f9725f495a9fa61686d07f07e51be6a0bc07fef427f455

C:\Users\Admin\AppData\Local\Temp\ScIq.exe

MD5 5a8dde0781b1c5498156f88163532454
SHA1 c08a2d22216ae57b3756859aca3fbf4d3ce2ba52
SHA256 dc7122c0c3882d3a8412baf6e432b643d7324a775e57f43d3a1ecbbd8a590876
SHA512 253cdc86ac0b1b9234a2c9c7e9840b953fb846bad11a5732529b9e7b724680bae6089defc5cbff2a23e20ca68ceefe8d89fc933a5048f46337747b92769a206a

C:\Users\Admin\AppData\Local\Temp\cMgw.exe

MD5 b20211f9d3cbf126ebf3d520ae074bbd
SHA1 a636ab5946cfbc3906a5261ecfebd606d941cf85
SHA256 7d28f54cae84e0712509785182291a27b5fab93d0a632e4a4861104d83eee63e
SHA512 9855c723409ea2cb4bd27ee024757f42ede60f64ee93fa8e031f3a58cb22d9c667f1f06c561643ba9e23ab111a6c37fb02226de3e7227b30b938f86449ab81e5

C:\Users\Admin\AppData\Local\Temp\oksC.exe

MD5 01e46b2047fe92fe3f3a5ea07b4718c9
SHA1 717e26a785edeab8b037f0970d7903513e73f246
SHA256 8b299b694af91047cf6300eef96c5a8d2903a1a1bf697f0028162e646f643be1
SHA512 e29d8d3107349f18be211e60f9ac6fee8c72cd2a738f22b3ebe68d3db241234e72a22013e1277f22a7e999f9766e4d87e6074319d5bb7fb01a67bd74d52f70ad

C:\Users\Admin\AppData\Local\Temp\uoMW.exe

MD5 3f8acb5b85118bcddc96c5e2004d7e42
SHA1 a25110e4b8ae25c782a883e5c2c3c292024daa7c
SHA256 a145a0023fe6c6d8fbbb2fbfd86117d507a75ecbee9655a3b6981d260cc59bd7
SHA512 53b9463846cddafd1a66cf5b8937301d5cb8cbaa14cf9fd1bcd909bcd7b85bde057f4d507986fb97b51043fe7de3c308fd908a8bd05df129713b3443026af8a6

C:\Users\Admin\AppData\Local\Temp\wsoc.exe

MD5 af89a60a2d18f404694d880bcf80acc5
SHA1 f0b0b4b257b4379854a58a21b8723690f390516f
SHA256 1f08daebb0374075de5d8f5e6825c71d62866fd0875abc5ab7cdc601f9b323ac
SHA512 4fea280288d87a1082f93fae503faa48153d2379118aabe2bf0fae8bb1aa3b5dc0ddd657345d566e209587f643b96ca5301d94fc99d9eef04c4650ed5f356f12

C:\Users\Admin\AppData\Local\Temp\oekgkoMc.bat

MD5 c5ad501c871ca67d288ab16fa90e6aea
SHA1 f4699c38327db76a75e61848e63c472eed54c7a9
SHA256 5937b30794414b710d241050c7e50eb4938711a9da0b7ac43e7d0eec538aef97
SHA512 9204bea3a9d432ca2e676fccb17cbfeb35d3b398b80b200ef3a2895f24e44e6b48a1fc69671f42182cb1631cb0b7a00e7a260cf2a459d28851389961a0e14015

C:\Users\Admin\AppData\Local\Temp\qAMK.exe

MD5 52cd317e49c67992ee449fd6b81e2a98
SHA1 d2fb1ac0166e6136ab174ce73ac817b6ccad9ab6
SHA256 90ca1ba3497caf4dad8c89fd1e5ac73db3d1870dabeceeda20069253f60ae6df
SHA512 509051b41315e9b76071f86da91a3ef3341fd7bad8ec0b5f7c04971661d24e75903228fd853fa7026328abaac5cdd75e0222560243983dcf1a02f580c87a4a09

C:\Users\Admin\AppData\Local\Temp\UkUq.exe

MD5 e55eed3eb77c11c68452abd269451ded
SHA1 49c87b9916d180c43c9ecb89fcdb01138740be47
SHA256 99f0bd07c859114905538d48e2e92bd14d68abbaa6f7a3ab58546c58e7ee54fe
SHA512 7de546f348c781e1455d63995e529541aaf58816c976e7cee5bb5ae5e377a6ef893ee2c82b956ed54b60e555d701d992fa19954e776d06137039e372235dd375

C:\Users\Admin\AppData\Local\Temp\yowA.exe

MD5 f11f045c8fbfede5f4b3d5f53d4fbd44
SHA1 882dbfe863547cc985df3ad9105f58f928648bd8
SHA256 e0111c236fdf207b1802e8a1c7e2a5153b9633f2cd918156fb8fef22cb48e0a4
SHA512 5e4bbaed09cb9156b8c81be6c28c4d0a9d0d5908899f2b794269eabc55ec558d437b73e54551ce2c139862e25757419294b5c29751e2f9a622d841396dac9264

C:\Users\Admin\AppData\Local\Temp\YIsA.exe

MD5 a0a8a3c6f4ddc82966b7a2976be1f985
SHA1 2e24ee42e1c17ed6f08b8c6992baeb635f332105
SHA256 4a9fa2bd4133a658382dbd30196d03270100c4cb463da8056474cab93c1a9e77
SHA512 31b762a1b801d3f2ba901d6f2cd2c675c82355a341b20c3b7b652a0feeaafc57482e61963098cf0018976e041e8cc726e902d290130cc7e30155b089a18a9713

C:\Users\Admin\AppData\Local\Temp\oocy.exe

MD5 5dc55e031c1603697ef287b00731cd42
SHA1 1cc10103bfb2fe3fa144730f1d8b252869c08389
SHA256 3ce8e27153f8d2d1614a15a108934b68ed0fa6cac392132f0bb96cca31afa511
SHA512 f79e7e1a43751fad035336b72b43869d8753707be5b42524b60aaf96ea6fc82494c443d1ce27986d2c16e555047f1edb89373d4a10e3e499eb785ee409431c2d

C:\Users\Admin\AppData\Local\Temp\MQwA.exe

MD5 2723eb886f05b8df9dc8dd664468daf7
SHA1 b8d15eb1539e4355dd78baeeb9fdffb572ae28b5
SHA256 29ade5d3f990a24ed782bad7992a3af1c422517e1db5c9d29584a0c7df6e3efd
SHA512 22db3ea0d56adbe6aad03143cba3fb6e81d8036dfd94356150ed8e526ef99197da778c9d6c2f65d27931b2ab856ed3250098b19573d769f4d9859c7e7f4a774a

C:\Users\Admin\AppData\Local\Temp\UgQA.exe

MD5 988de1b44636379a1b43b66ae086160a
SHA1 31188f1debc07bff7c357f80d63ace71cb392099
SHA256 c76adaee52337f6cfb96bd0fd2fd24edc3fea3c75a798998d05cdbede8e97f37
SHA512 016656887c39236f4297961dfed3a3f18e9cfcf4af7ea56c4034248eba933f8352a28efbec94ccd5a8ab6c29d23e7a47e13d022ab3938a4e2bd2752d7078a411

C:\Users\Admin\AppData\Local\Temp\gskw.exe

MD5 dc65e049299cf41ec54bb561ff7cff71
SHA1 f602bb31a1c5b37e67248bbb779453931f10f532
SHA256 fe9fd168b478e2654f85a26a162d273c59113c572ffe854209f2ae15c521923a
SHA512 98c4ac7d151417a4a5fe0e7a47f6728f64aecf8e37e25d259791373101cc4bac9a30fdf18e5ccf7b1b7fc68bdbf69c83920fbce3349588a5d5bad43651f51360

C:\Users\Admin\AppData\Local\Temp\egIM.exe

MD5 c483db31db34c172fb650083666ab6f5
SHA1 f657a6517beb23f6ea5d1dc29a8b03bdc97bffd2
SHA256 7cfd8f0a107abe77d5a3025075c6784cd24683b8c67d8dd44bce932343257bd9
SHA512 bd4ffc979ae69801184967338816e9daba691d5eac2b8c3acc7d684302faa40725a982ead629d31afb8dca6a818c75d50da1e7e0eecfd04bde8a639a5ec27414

C:\Users\Admin\AppData\Local\Temp\SkoC.exe

MD5 03b61f02b252e4b45734fd8348b4e354
SHA1 818ad05eb06ca67c8b51f9175c57a50cfcf4b30f
SHA256 7c043ba56d7e7b3c31b9db4d60d2970831807f0776f0d1544d0abecc3924e2d5
SHA512 b272e27a032caa5e96e6b565d29661b4e477c7a95308c6a36c079a094f767a3480c502f09c60fde9a42276d9d1b7d4fc682f84b0533618b88b17e4adf4f9f02b

C:\Users\Admin\AppData\Local\Temp\Akss.exe

MD5 16c86695ae69f65dbacfb44775013e8a
SHA1 34d68a7444d70c21fbd1a8d2f78e39e4d00ef91b
SHA256 8faba7c6886624af6f43423470a496f21fc2b378a85ece43d4f2e31f740bc42b
SHA512 7f221744c9ea4ef09f5e9da13092e7ebd399039935d0b8ae2163848a29649d25c18dad7e5770d89ccd407eaf0fe14d11a3418e793d55df6877c506594a1e4a57

C:\Users\Admin\AppData\Local\Temp\wUYK.exe

MD5 b634a8eafe247850417a889fc240c9d6
SHA1 27ff00deef86c8ba1265e2e26854f00f0c585e32
SHA256 f6f73b7a5e8a280b742f606d272a4b3f24bf7edaed7ec46876aeaa73ca62d75b
SHA512 d97cd157bbec38cb0942081b92a2cd24bb7be10d19734b4a0bba5a26d672d3f2dfb9c0bcfc4d8368eb969ba91147c51daa088c28efd93fde4c3a979d545b4214

C:\Users\Admin\AppData\Local\Temp\esMgcIAY.bat

MD5 f42d7a0db95a984ca1ed9f90a135338e
SHA1 c5204ad8184aa584c84616c02973b70a9c762d8e
SHA256 9cb934d07bad2cb5d2e2df9b92111f5b2a606d5d0de7af78af308a53859cb829
SHA512 9604489a9148eb80dc048a16e759f84e268d0896df955cde819aa959f673708de9e656339feab713df3db9e529305fc9ca6c84a79ef9a0a2ffb01d7707cdb4e1

C:\Users\Admin\AppData\Local\Temp\mYwc.exe

MD5 f8a5d1e2a62bd5918e15c34d8ba3928e
SHA1 dc2730392b644a31d61455b8753278074bd6d049
SHA256 e3a43a8ee4defbd86e3fac708265e61b08f1997cce3b9b982566c53e70a3ab8f
SHA512 e975ae2d116914c09c47396686835aa99227817e09872d481929c9d0eb8c429b272518467a7d84017a25a843298bf5999630a35ca99c52af50aa684da31cf611

C:\Users\Admin\AppData\Local\Temp\SAIW.exe

MD5 981010a8bfaeafb4586d259e1d7ccf57
SHA1 c6f60ecc8d42a5d55ca5d5b35cfc0bae987703cd
SHA256 b5efa08639b458dfe4dfbe78c0584c4a36488c9ca67dde1772f1a700c2f9f7c9
SHA512 bb8bb8b9e64856da80f164b9c9e283fe3db8e35f14d4539cac9f21ae9f6f2adb9af350f6f11628ad211913e702b79f47e4559f61f6846adf2ee1a2a02536e9aa

C:\Users\Admin\AppData\Local\Temp\eYYs.exe

MD5 a7772771b6b403cb76e7957b0c8d11a5
SHA1 eb2576a62c2922ca5a328eb5ca737e8ec4a29185
SHA256 c902c8615283c31c4d40f458d86058576a86543611b58e9a99c4d214d2ce1a5b
SHA512 bd793e42d1586f359f360e0da7fc7ae2f9f2fa810ac99270dec055b0996b667d6acbcb380affdf656fdaf92c83e1f86bfc76f96c7a816d0b3ebe6998fb6bb2aa

C:\Users\Admin\AppData\Local\Temp\ocog.exe

MD5 c055d05c93ccd3c55c99adf33bcee336
SHA1 b8d36d21d36116cdf4aaf8640211e1ec2a1196f0
SHA256 47c1e306e5cb05a3c2c5575c84be4c3d1e8da4291a1c11aad465f669bed9aa0b
SHA512 80b84faa19e9c4cb811914c8c2ab4624b1448d1bf690a59abb1e5f1fe3e119a40970ce5fddc376cb01f1609db4d6d45f6f37499a6203968abd8a0fb5ea65f2f4

C:\Users\Admin\AppData\Local\Temp\wMEq.exe

MD5 1638a83b2dfbfe146d7531b2f6fd7926
SHA1 b822cdb8a2933ca4ccefa3872ae2f7feee54c4f9
SHA256 9d77bf4c212a15485de7a237d926be74855431b0e659a09cc626602956a407f9
SHA512 4bfad0b07232d9385546d5ab1db210888c9673531b79741ec2cd05d578233cf1a736cec23628ed91619fca4db7b322ff557ceb0064ef07c0a120d0b4cc64fde8

C:\Users\Admin\AppData\Local\Temp\CEoc.exe

MD5 e34fe2ffc6c1db8b87bbc3c9e2277972
SHA1 020f73f08af28c36825e78207666198a84a5902e
SHA256 5741cf53dc9d428ed5b7691c09671cfb67a38bbf1246dccbf179061312a73778
SHA512 63f2ed2d05f8f0100b05c683f490b50356fe3d8ccc3cb3e930cc02408f039c7a8a27918204574b680fa92d33d363611b4fb226a6fd2e616ca65a12100f31ef4b

C:\Users\Admin\AppData\Local\Temp\mwQS.exe

MD5 07e3a9ab6508929e0104596841871467
SHA1 8eff5e0aad4390a1825f9569c666ada9bb612861
SHA256 487d844bdea71c887b5e75e5d659454850727ce18d4e8dec558636d35028cbe0
SHA512 f58044771832e2096f1ea0eb38dcda50d128590ae882ed33388fce995a20725a3e58f36915a43a2aea32d8fb229ecd85377de000deeb8a6e5d4f31b3aedd038a

C:\Users\Admin\AppData\Local\Temp\UYMC.exe

MD5 b9ccf7fcb75eaa2d6e976ce158b4f713
SHA1 9efa9c21bc503b07c0acf395a7e954f9a97f0991
SHA256 bf835cd698541aa5fbb6b1f8365419951054835be058f7f58751b59fb8d66105
SHA512 6ff1b3da06a7d2e0e2369f16220f4ffca16c194cf339f206434afbe2ff54b5ecfacc72e38076bc2d73de24bd14252f78bdde6b7fdc880d3093239d1f11c02bfa

C:\Users\Admin\AppData\Local\Temp\skcm.exe

MD5 74729a92f6d0a27bfa15143a17d65e4e
SHA1 b9cf8754622e4f4df652fa3bdc9802c45b9c2b07
SHA256 03e49fbdfe4a1626bdf58a1e52f0abb7322c30ce81d63d04cd4e6fe91a36d4da
SHA512 76d7bae3ef776fc6158edaa3a3d37871b5c45c3a9813fe1f3740b42a472e878ba4efb7f1ae4d894c3d86a169df96222ddc4a05c42b3847f07d57f0088ce3bebc

C:\Users\Admin\AppData\Local\Temp\owQE.exe

MD5 8497cbf770220e9d44b2661b87df4476
SHA1 70b8c828f5a4abe85a93120b273f53ea0f5b95ef
SHA256 7b7916a06412102011bee3ec59062430c8e4021a64924dbbf01bb29a521c7182
SHA512 fe7812db28a2fb781cbe10b11c92023195e6ac5c6caaa400eecb64f125f6c091ecf8bc962da06f08e9ecfbe5706d3aa2dddb1ba47699556b1f9bbfc724d6cca1

C:\Users\Admin\AppData\Local\Temp\cgIG.exe

MD5 6c6b47a438342a416b7600aac8375552
SHA1 b2fb3922e04dc39fca2bbf5ae4ccef3e7fff0eb3
SHA256 7bc45d98713c2f8e1132ac9ef3d2af170be0af2d746f6afc6ba66bc8448520da
SHA512 a480945d774e028cc9c71c146bc2bebef44addba86fc1745dd7f91815dfa529559386d15119e6d2c5a07c505e83573a7b035707fe887ea678c917df9cf81b2bd

C:\Users\Admin\AppData\Local\Temp\YooC.exe

MD5 a28da0669be32f2b372fe42064f0d1b4
SHA1 d7fa4395d111cc9222bbd6d8352e63149f1aa9f6
SHA256 823d542daf1b98aef2f7f7764427542d8a3f8d3de04c72cf03db74fb7b421b8e
SHA512 118208c5b115a7f3ca37fc82f100be0c782124c8eccd995b799268ac19814b3b02b258e62cbc0cefcdff1c655c948f4d5675733d089e13ebfea3b96f85ad0906

C:\Users\Admin\AppData\Local\Temp\msMS.exe

MD5 db30dbff5d0da227c87836c77c66104e
SHA1 7afd3f8bc7ad78af2417da244768fda238b085ed
SHA256 d65a49e79e53396f6b6121605312453006cb9e016555582836c175055c723f27
SHA512 6646f2e1438a417befdb1cfeaebec8311f2daa03a0577a925310488fc60befbf6a1fa01fa6f39fc06136b3f22c6c0c17ec04ce9a72eab533e2623a7ca3150439

C:\Users\Admin\AppData\Local\Temp\kYwc.exe

MD5 5037add104459e478024be34edc3bf21
SHA1 9a909c1b0b03b69fa764aa27277b7a7c7d5e8116
SHA256 f9e074da8fc44527db3c82f87337b69d64a1b279946af768dfb3c26aae07971a
SHA512 6e761f5ba571df9bac3fa12aa28a738bdd40096ec67febfe17db7a91c514b9095ab48e13b14d252d374083c24a62797c086c5d4bdc2d7af821f848b9b366a657

C:\Users\Admin\AppData\Local\Temp\ykcM.exe

MD5 596f5d2e8c6e2361e8fd9f979c5f222b
SHA1 4753aa29b13785e6e250c3de0b42fbd9427f9d5f
SHA256 57a4fbc6bf0befe7e38927847e2e9be3f5e91d019d0778f96f3ff1c930eea92e
SHA512 6cd0c28cd43de9be7406e7a130ca2906aa04b400b69f8dbfeae8cda8ff1b30a0bb6dd6be2807f08a64ef6d5b543968178b7be9d9f03b85e86f8a548aba3599da

C:\Users\Admin\AppData\Local\Temp\eAIM.exe

MD5 bb5f963c0d21ee741261d28b297223ce
SHA1 6deb4e601a2a651eae6f52a0760444a05d342931
SHA256 f1f4c080ae1e25ff1fbe0e9d5ed720cc35a7d2bbc433c71b5f875d510b24a121
SHA512 9620a3b2e6d44afb4a59744c22158f8796f78fc9b14ab8772f3b4ce7d71943e18b040a50d54a335334f45a452ef810092cdc443d5d618cb0a2d8bef5e96a6627

C:\Users\Admin\AppData\Local\Temp\ckEG.exe

MD5 5454ce3050d8d4f64d87fd6130773fa0
SHA1 ae0d5788ff4fb49a3973806899b7c5f21521cebb
SHA256 5f0386f3f5d5a34b054aa70a83fe51dec04fed353466f1cffd8fc2e9b49e05ed
SHA512 665c41df5535e52353aaa6880b0a8933ef30317c5e28e2396689b043ed7c9e8597835e9b2d4511d2c42866adf5b7291476b89b65df299aa2a090f0b2edf16f89

C:\Users\Admin\AppData\Local\Temp\cIwA.exe

MD5 0631fbe9d1b5675ac105bfdb937f78ea
SHA1 84def52cee41e9b7891c84f3e3f66725c2f106f1
SHA256 7eb19553480608925af7e56ca71c83979a4fd77ea6bb9460cd8d364f993593cc
SHA512 bd68ba9e03a9a48cc7026326d6a9289b115165bcc1c225348bc49d205a21efeac9cad6929bdc60f80008403af824dfaad036a46ea66fab5062bd71ce316d60c6

C:\Users\Admin\AppData\Local\Temp\cAwM.exe

MD5 88b45c8127980c50a81330f7fced2335
SHA1 f3fd4b38f5f28562f9e21cea6714bac4723f2793
SHA256 52b2c9b50a1fc193248ab1b20a09916e5d74a4023a87fcfbc6774a4e8e08d806
SHA512 c273e725de8a898060142e16ff8c71fb52fc5cbadb972badf499272c81b03bb60a986ed3ce957b747d14931b6ab0ac9c99bfc28b6111955aa003d11466888cd5

C:\Users\Admin\AppData\Local\Temp\eSkM.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\QEQo.exe

MD5 fb6afa16cab38d831f9dbc38b9aeb7c8
SHA1 c2c0dd6aeec43cbb79f72ca97107387c30505aa5
SHA256 1076bb13b706e1d4b0f3877ae4868eab0f9774e084bead580454f70f08fee704
SHA512 f31aa2bf113132c68ec69e76e355c7162681fb624b8f7bcc6bd30064e4bc319398ce7605a2ff4116636bb3ffa999fe4f8d25f4d0b44d50ae2575c2cc333ec9e0

C:\Users\Admin\AppData\Local\Temp\AUIK.exe

MD5 2c4f0f931d539f999863ff720e93f06d
SHA1 e6d9102312cd7e7447adcf1699d400cd0050e2f7
SHA256 a4fa3cc8fabe6c167e88b596de847659a769945a2f0a7a3adc20a6eb1868349c
SHA512 850d031e8d0a2da6a18d04c0e33fa930cbea680c34b7beb884d3301d9b7c02d41a680a71b5c1fc187488c857bacce2b81401952ff4b3936b84373578105a7419

C:\Users\Admin\AppData\Local\Temp\icws.exe

MD5 5e5e128a1baffa7f020cf0fde8351869
SHA1 eed895bbf7646b8722e0b17df06f5627a90732d6
SHA256 14238e4559e4a8564d07ad20c97e5f61a9f98c4b1b038ad5b752a13e3c9a53b6
SHA512 4f09ddd7d18c56ad5907983c36bb0333d71ede4426f10becb5b75390522eb8ca7894e6ce16c010c8d1061822107a808e4cca9035768cc40200f0380bcae4d2a1

C:\Users\Admin\AppData\Local\Temp\fKEcsMgs.bat

MD5 d5b4e110db8dea5ebb5aa2183d06239e
SHA1 49911bc74f6739a3481338791808cb75870f4815
SHA256 58c0d510552340dcd1142fa644f5a00c61504edee424bcb810d73ce937d43db8
SHA512 48b6c69f2769d122206a7cf2e46063b7ab259a37c7616a17c73f8c40561a83b839e3cf3fc35bbeab91123810537af94f9300f94e5a2973372b3333edee44447b

C:\Users\Admin\AppData\Local\Temp\goQC.exe

MD5 f426e6af6729f6ff652f03e17234d579
SHA1 0af79f53db2b4a8883cae470fe1311e58d6dbda1
SHA256 477031e87e24f89a44c75eab7bffb5765ff956fb1cc54b6b02ed718e1e987969
SHA512 5eb336ea85bbd22cf13912afa1331240caa6cfaa29fa0295ddaffd2064dc4e5517d6383989583764ce4a26af1c8cf249a74c366fb1e6f7f811b575eb51f1f8f1

C:\Users\Admin\AppData\Local\Temp\AkEE.exe

MD5 681d00c004ad39ff861ae33b057b883c
SHA1 2ffbc1384eeb5afc89d75776939bc8e79e7ae99f
SHA256 c44e232b58aad3cb62d003c97877152307b1fa2fedfd43a836386660141e7216
SHA512 500fad3c613d38a7c66dbd8385bc630892ad095ba93f204f86c69105ff694ca11f449561ae7c7b07771e0a93bf7b07c76b0a1ec6052e350525f9472ebdfeb2af

C:\Users\Admin\AppData\Local\Temp\CcoG.exe

MD5 29afbb18ade6772043c047d09fae3adb
SHA1 e95952bbba5bab70a616895e343b9503c70b8362
SHA256 2ddf9bb4d2c2aec598108595fa2d3dd9e4eb513c8f4b63130027dfd5a6465809
SHA512 ce7b2df077f2ac70d66fc1e17776e88409e044453e279513b8751474e2d7cb5b451c98c5231a0b6bdb2520e0a9f3db150babc969ce74e002df4eefd04f976876

C:\Users\Admin\AppData\Local\Temp\IMgI.exe

MD5 6af0327ebbc3fe4adcc0ad61114ccd39
SHA1 bff7d80b465224ca5154be1bf2d5e0dbd9758421
SHA256 379ca15276b67a00a8004bce039b14c24c84230d71544f4cf71e094e2a70cfb4
SHA512 d75a5750c221d6f2c11c60a14e3abea75c7c6c645fca3729f52161cf7cd5828cc9dd362285cff084c1fdfb12767f0fb9891559f93c7c768646b711d252d6e957

C:\Users\Admin\AppData\Local\Temp\OEUy.exe

MD5 411629577c96cc0c73e1e564c9db4d0d
SHA1 d6b18bef5cba638241d4dc89ea76e1e267a7479a
SHA256 507611b4919ecaea5fabdafae54e68620b2cdf22f7b91d2144e1fff6614ebc89
SHA512 ba4b897bb6e238f575e7a64cdfe963f38c85802e6591b8be6198e4f457d8f2f449f5a323bb0840408f5bb43e656243cdabe4f1b2645dfcca89a868d1e348fb35

C:\Users\Admin\AppData\Local\Temp\OwwE.exe

MD5 8565d2928a27fd66b11354e304769e6b
SHA1 1352acdd32089fac0792f216ca550ab456226481
SHA256 70d24f92f409aa3095625a5fb4bf9b6da81986ec2d09b7d925963394dfcaecdd
SHA512 a20213e524789958a695c4d35aaa30428594d13e536a1edea7c2a4ef377a894d2ed92273d7cc3ee7614e8cd0e2d86d4c97f1e53fa00592d2952091f8630d32c9

C:\Users\Admin\AppData\Local\Temp\oAog.exe

MD5 9b446c9168d292026168f7000e2ae086
SHA1 3c7fe1569814a26e2b785d36200308e980653dd1
SHA256 db78a9a2cc6fe042b8864296032c269bb3f185ecfe3fa3894756a9f75584af57
SHA512 c45e59b5135a2014cead42e15e37600c3af547c90bb70c1c7ce6a5ad224bbbf1655acdec3cb0453ed1bb3298fe6001ba95571e987ca6c727e51130c40a0b7f3c

C:\Users\Admin\AppData\Local\Temp\MMks.exe

MD5 b39e0501b3f6a8192c8dfc2efbef55ac
SHA1 84f1037dfc735395e1fdca2c287806be8b9ec6e3
SHA256 fb70db882c9b29c1166175c9151f81a34ac8af68276c4edc4c87a5e4884557f1
SHA512 f283f64de41b4045715df49f0529be820b349d8406ba271ddc91e42d4c086f01e5ffcc50ceaf5685e6803fa4fc7b9b9ce253c5a05e0beae8280e77298fe0b51b

C:\Users\Admin\AppData\Local\Temp\ZWYksYYQ.bat

MD5 c6a150418ff5082936c5f25ccef290a1
SHA1 96c76a17573a614968637d43d196a8546b3e0896
SHA256 d4b41ff6dbb07ca3362801eba6e0f9b7a949ed91bf0765297cc6d5be1ee54ac2
SHA512 69951dad5af553d41d7352381c90812a4b623ea1fb83201b3c32ebf6d671d376a7e20fe0e891528cf29d64c3e24fa0687b75fd771b6ac4a12fb8c568d09bca09

C:\Users\Admin\AppData\Local\Temp\uUIg.exe

MD5 8b36b9f405356d965aa3a9d67c782c91
SHA1 f810634b77136c23bb4cdda46bf911833cb5d3fb
SHA256 1004fffb70229e05d9f0f6f71fe903378910f3c52d450070c49a26694aec98f3
SHA512 aee4349040f88e7b697778596362d626be939d6ed9f7b7c13ed4ca7dec4b97885bf72eadca8053a3aa0f939cbec465109f73077994fa845f78c5f9bf28f7a48e

C:\Users\Admin\AppData\Local\Temp\kCUw.ico

MD5 31b08fa4eec93140c129459a1f6fee05
SHA1 2398072762bb4d85c43b0753eebf4c4db093614f
SHA256 bb4db0f860a9999628e7d43a3cfc5cd51774553937702b4e84fb24f224bc92e6
SHA512 818a0e07a99a12be2114873298363894b3567d71e6aa9ce8b4a24c3b1bb92247450148f9b73386a8144635080be9bb99a713f7ba99cb74f8e82d01234000074d

C:\Users\Admin\AppData\Local\Temp\wkIK.exe

MD5 2785f65fd1a1f23d2ddb53d8a392e6d4
SHA1 31f1f1dd58d559c5ecd6e459a2378dcbfb23d3e3
SHA256 5bea610948e1938b19dceb41312bc5f2d912abe365d41d7a90ae43a10f028b93
SHA512 0cc272344b9fae8c6da74a1ebfbc9afcf045f20e26ea4271893407617ac1b937984637a062209577187be14212129ff6af2f927c127f6ac5eeb34766d09a444d

C:\Users\Admin\AppData\Local\Temp\yEsg.exe

MD5 dfc3ab3ab1737a835384c6394e988a29
SHA1 2aa65d6ca0b7ed60c5b1856c62ba05aab6a962e0
SHA256 85bed43a51b9694ea06d7e722e74cb38591bab6bf4a0776459e831e3384309c6
SHA512 641466d5ed19786ddc4ec6c3d426284151439f8cae684eb96b2b233f88c3f6aee6cb05802364036dc6910f424de9501e4edca8210fb7a11bed2fa48c4c27bfa8

C:\Users\Admin\AppData\Local\Temp\mMUG.exe

MD5 beddb8f533243999014dad96a677908c
SHA1 d0817ac2a7c20853fa614f61eab3943b719ed6c6
SHA256 d3abe1c55eeb05bcacdfb898156af73fa62b7c80e8d0fd6e8d5150dc170451a4
SHA512 264c5ff500b1235bf8034c4fd3a8d7139ecad9da35b6a17824a397568989ce30e74213cb6eb98f826051a65e35499047c0eaa58c5e8ccb11c7ec585ab0f8ea6b

C:\Users\Admin\AppData\Local\Temp\IsgU.exe

MD5 af2efa1504b856a4644cbc6cab43c06c
SHA1 b799dfcc0a35009c71e90792af5cc8e105bf2d06
SHA256 e34aeb3cedfb1fe3b5a077ccfa44d9af8ff6d1223747776797da6a0e0ff0d5f5
SHA512 f8f2bb5b625c7d0d84835c9a3f835de376a93e89c31adef325b2adf9c541a8611a1db6a06b2341ff0a3a977c863127c83a20e68419cd93108a0969cfc408b19c

C:\Users\Admin\AppData\Local\Temp\OgYe.exe

MD5 c2b57eb198f824f84474478748280a5d
SHA1 5b70189f2310a59d86d296caec9e55a38aa1c402
SHA256 3f0f5f1727e12ae4304676c20c0e1fc59bc4317c28abc247c832f6c7b54cd103
SHA512 02149290086fd11e56846ee89498c88f870d09efdc10dc3fc9d9d3f8cb71dd1957ba06590ba830c57c7342afdb262525b4ba1ff582d3ed39ce8576a24dc51a96

C:\Users\Admin\AppData\Local\Temp\wEwU.exe

MD5 efdd7dd718677ca65d4db9c17b91d758
SHA1 24e24c5fcfc3dbb69637d799527aeff5beeff619
SHA256 e56f97ac90bb030b6b2eb077687bc310b9bf212a6464d15ddf8ef1a5a2d8b26a
SHA512 614f87eb7ad65a81b9fa84082cbf995fb2add1cd34df4f7537a30909c9fecd04737012673cdc9995527259237e8d224c7df0074e9df5b48ffcaf1aabc3f7f3f6

C:\Users\Admin\AppData\Local\Temp\OcgQ.exe

MD5 3a3107bbd42adfe8a7665ddf3dc234ea
SHA1 801a7364badd2efa8a7da7cb00de6d5c4c612f53
SHA256 07debc99d4ef304d4af2c6717944a04f7e3dafbe10728d2b5b5370a7aac2db62
SHA512 c3e1d8f34434a8ccf4b1859315ecd88eed7507c01253ebf0024fd7046a90bece73b8c00c1a181f251846776fe4a4d8f77900bb3164188cb0dab2ef9535a2a3d0

C:\Users\Admin\AppData\Local\Temp\IUgE.exe

MD5 d01f7b18fa64f5f6eca2c52d72bf228a
SHA1 5385bdc73dabae1b2a67ff019ba234e7248187a4
SHA256 2e51cd54c2d8d2f830a8e0242f3b3601d740ac153279b6ebc9148dd173518f62
SHA512 5af43dedd5694d98afbf6d8ac1849805466d411c354fbd180f627ab3c07272629c3f689920f1c329e8b5d019a76faf6862a0facca6a8b1df9cdc4c9aafe600fc

C:\Users\Admin\AppData\Local\Temp\yUgc.exe

MD5 1843c206a4761526b8f5e9bc636ad669
SHA1 471d6e5e193cbdc1acb38be943cbe6c70d83bb2b
SHA256 5414313569cf843d6a94d5e982d85d3c4284d8b75d4761787b4ad5bca41495cf
SHA512 2ddd1ef8ce70d418583c2d85f36a3bdb63ab0e9f1609a8794ddf05666a5e95f1fdb4526cfdddc22920e6c8ee9fa01bdebffed0757ca7996c69cf86f9f31386cd

C:\Users\Admin\AppData\Local\Temp\qMcs.exe

MD5 52fd3fb87e03225108f5db4c1d9560f3
SHA1 53264711b2b9781a3423fdf01762d7e81d2260ef
SHA256 1e435307e91e5beef151ba7505a8b3a41fe8b733fd3635f3942c4632ebd3d41d
SHA512 9eff9c6ee6bdac18d5b7d605866c4d71b34046f5cdf00fb3a224ee48c3475227b0e1d1d5ac5a0f41955243c8802f7cfd54fe38a06f530bc4c306fe9ed8314fde

C:\Users\Admin\AppData\Local\Temp\MOoA.ico

MD5 0e6408f4ba9fb33f0506d55e083428c7
SHA1 48f17bb29dcd3b6855bf37e946ffad862ee39053
SHA256 fee2d2cfa0013626366a5377cb0741f28e6ec7ac15ef5d1fc7e286b755907a67
SHA512 e4da25f709807b037a8d5fb1ae7d1d57dfaf221379545b29d2074210052ef912733c6c3597a2843d47a6bf0b5c6eb5619d3b15bc221f04ec761a284cc2551914

C:\Users\Admin\AppData\Local\Temp\KIMi.exe

MD5 45c662f09a2973dcdee4c5b5b50254a8
SHA1 88fcc2e1d64326938ee0301d2a024838285e2d81
SHA256 60e8729cf50ae7f8266b14bda49573cced4c0370ac1847704df806ad20d4c0af
SHA512 a74be5fec8257cd64bf06d7bfe29c411e90bf54226c264045871c88ca92120baaab754d9681e1dd27d2747852e7a11db318e10e58b8babb7dffa78ed671e6c8a

C:\Users\Admin\AppData\Local\Temp\IYAG.exe

MD5 69c3a8e13f3d2f43581519147f68bd0d
SHA1 fbc7e26b566d9dbcd9c05ebfc0d9c5d66fa47b9e
SHA256 3216e44d0ca66ddce886bb11f3c670312d0e69981fa22660cdc69ec7bd157237
SHA512 45d5c7ba8d26b49d21972300770b0216f19d006339a703bd3027d972bae13e64db213c2152ca444110f050bb773cd8f3261593d962fff9524c9d47875c09db5f

C:\Users\Admin\AppData\Local\Temp\SQYk.exe

MD5 fc5481e691188ef9d113d16784ad09fc
SHA1 4d0e03467019c728021b74b6e462c5536634775a
SHA256 6520d75fa4a09c078ebcaa66987a89c811896993bbac800a38e06d99ba0b48cd
SHA512 ae871b415c5312375c77097a37e9d0fe0c726572897d211369d5f9811b8099dfc74f3827d45ccb97a2ed88f76a23cada41343a4f949eaaf10e2f266df713cf61

C:\Users\Admin\AppData\Local\Temp\Kggk.exe

MD5 946c64465afa717bd61e581b61ad3421
SHA1 1c06fd329d20788b2a37c8fb525dd6df0cbadf81
SHA256 ee290af64692bf4fed8bf6502f304f1d33d5191652c3833ab819568f3151bf9b
SHA512 f20c8d65dce0cfa65814ec619c7a8c9afb4c0f9350b2ab626ab9f8552c00d0053d99872c7978e88bd557e6fcf33ba45e958c6ca72f2a741054f53484c64913ae

C:\Users\Admin\AppData\Local\Temp\kQssssIs.bat

MD5 cdd9eb72b0d898af4f11844e99c1d939
SHA1 7f8a045f2f0aebf6e4156a7bf37151f2a9c2d4a6
SHA256 86679c26cfb4b743741c322bbcf32f017b382b0b56e77addac7d861eef40d904
SHA512 129ccc3cb5c481fd2a09c91b565c77748d4c3b6a5d1184cd022bf8b9d9a78ec393b140f5fcd4ea737c17fd0b92b2cba91f883456377b85f19c6083362c45ae50

C:\Users\Admin\AppData\Local\Temp\UQYU.exe

MD5 025a85f491004e09eb8068aca71ced11
SHA1 57c330e153cf50636064d20d281da9efd06d6359
SHA256 70a1aeb8864ac530d9ee95ba456f4f505b53e8a18d6f7d51f642c6110155e57d
SHA512 0569615102e7538182143cfcb88cd1cf16b3ae779d2fac036dad7a2d789d640a35bfc2ee31e2ce15303b40baf5dfa949b19a4fa88f711fa4f1554f62ddbe17dc

C:\Users\Admin\AppData\Local\Temp\YcIs.exe

MD5 8a110a414f64af918c9bebf276b2e328
SHA1 6ab92aad15c3fcf0d6fcc64e8602d782fad216da
SHA256 756d6d37b9a8cf929c5daafe8677948fac3bcc0a739478540ddbbde551eb4f8f
SHA512 4ca3e818ea2addc6fbcb03dc625fad25f5d0b472addc81130239be4a1d5774dcf4c6d7660b58d892c15dbc5c95db5a3448060b1e0fb7a7860eb3db57f23b89e5

C:\Users\Admin\AppData\Local\Temp\MQwE.ico

MD5 e1ef4ce9101a2d621605c1804fa500f0
SHA1 0cef22e54d5a2a576dd684c456ede63193dcb1dc
SHA256 8014d06d5ea4e50a99133005861cc3f30560cba30059cdd564013941560d3fc0
SHA512 f7d40862fd6bf9ee96564cf71e952e03ef1a22f47576d62791a56bdbfbff21a21914bfa2d2cae3ca02e96cd67bf05cade3a9c67139d8ceed5788253b40a10b32

C:\Users\Admin\AppData\Local\Temp\wUEk.exe

MD5 0f601defadc41cb90163c5fd05150466
SHA1 ca4239fb81176082e6f3c1955bc8837c866ee61e
SHA256 b9e65542550af8789fa6fdcb09d045c166026fea7f4bf6dbf800f55e21624ddb
SHA512 e71603bb696a73e3f46db1847f3f8322d391a5c1c2a001e06810d5258c1e7d289d5f558bdbcbc72b00651f6170f1375ba1de37f1e9d6374b4bc873e7dbaeee73

C:\Users\Admin\AppData\Local\Temp\mYsq.exe

MD5 4708d25857e00cdbafe5459ef8985af8
SHA1 c0810f996464408ed55a08bdff963a4326f4eed6
SHA256 b0af54cc9a4d5ca2e3da11760a838121a3edf8797ece95aaca8578b0969d42fe
SHA512 c7f75c55f89aa66f50b69f6fbfc1ccd775a086b7d33e6c3246824f0ef9399cb51775aa99b8f7b2e03b66552fa4d2576c20ae132302f433afb7ec4a54f0ac8201

C:\Users\Admin\AppData\Local\Temp\EwIy.exe

MD5 aaf55519a77f23f016898749c893e94e
SHA1 181333fc83aaa9bcc38f9074bc3b76ceda2b5c84
SHA256 51b099fa6006a6d1b7a2f90f4527940d9279a911dbfdb482dfa9923e79df3319
SHA512 df0b83e8444657e76bd8f55eb26660f912ee87f981a9b276b57463fcdb6e2550ef280074ad415d30aa57553f61d2f734d2056dd73d87720866ff61e2dab708a2

C:\Users\Admin\AppData\Local\Temp\yIUa.exe

MD5 da7c6552d9c3df2bd86870313e22218f
SHA1 da45cf8bbd8f8008bf2e49d3ada0dd455757680a
SHA256 ec51a87cfc2458fa0e2582f5c4d3e1d7a4efd27f59745aecdd3d330b8be145c1
SHA512 f7088c860f2b30c9fa12a4765bfab332c33455658ea31d90dd96d1a895bb7dcda3755a62567f93a7cc205efea1f711c313bf7fbecf2653e61d4b6f68590a5841

C:\Users\Admin\AppData\Local\Temp\uYgK.exe

MD5 9bd1ab3c7ef0600239b61fa3d0bb3125
SHA1 a756f8f126a8c31984053580510a171c152d5234
SHA256 8f4b1baaf5e9d0607fc058b28967060e5084c21c2a9005745f65c460686f526a
SHA512 de49f4a769b67847c7d15e990e97d43898afd11fb98537bf1b581f1878f7d121bc87ae6a51bd6910ab974629f61f5db7ec079211b60208680c2d12bd1a2b5659

C:\Users\Admin\AppData\Local\Temp\GEsw.exe

MD5 f42328d50ac854bde62aa7b13ae1a3fc
SHA1 c8791064aaa2384afa19226788b74408ce035e8f
SHA256 d9b9dc95bdf4d2895abe4f4423d68ff8fbea43fd2d1add73cb883286b5f8626e
SHA512 d387526094d4a7109e5951fa1558b873a483e8829a162a94f8f4f19827742c49a2fa25450276b90e1eb6b7815bca3aa7b6a8df2870fd0e02d1e318d3f0a9281d

C:\Users\Admin\AppData\Local\Temp\QoAC.exe

MD5 08adb987a56b8066af23090058444611
SHA1 cb9277be317a67a0195ef65240709a2f380c1c10
SHA256 0c90a7f4ff73c5d9b96b7aea4bea552800e33c9f82bc8da347a1706100d4f3c0
SHA512 8b1bd9b7ec8b5dc617739370a29558d39888d9cb5a2303b6e204eaf64b85df9d50dbfc2bb5f80b6cf71811b40c5a426543657ea2390f576963e7741aad92f3b2

C:\Users\Admin\AppData\Local\Temp\meYokIgc.bat

MD5 5251196b9c983befaf9f1d989c8014e8
SHA1 f0645f40757ecd827de45e998efc9d0bcd713857
SHA256 c788abc9dda6100add1ae3c949ccb937d8a03056719497a1ce2005505666b490
SHA512 48a3a690f07fac1d976ad5cc5438ad95770a9e5f0a7dca77e74c19154a1e31efa408d8784c1259e0307aae663c6699aed0687e25d5cd4e6e1e0d048c04a34909

C:\Users\Admin\AppData\Local\Temp\YkMU.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\ogEU.exe

MD5 ff02e03261c5bf232930cd530d57bc97
SHA1 a0f8278e8cd8f86fa2d2c0edcf32fe9634edc435
SHA256 678bd9518062bfb330e9cb44b076b03950ff0011023bcbe0d9caea32a886c2f1
SHA512 a800454dbc20d7144efb4d2f07de0efc0810581fb9f0da25f6078b8041836d5ddd402627a5b8ef6c88f01af1c4c7cb02b0a4548719a392a807cc8f5f68ecd9a5

C:\Users\Admin\AppData\Local\Temp\gkUs.exe

MD5 f2ea19cddd05740c05c02a81a5c4c777
SHA1 e0486bf68804969e5cea43aea23fdd68aa06389f
SHA256 03d8f6e392f4cdfe784b171449c5bd7f7c5c417b836347157bacb94e2af78662
SHA512 3598258b4c2e310e3d54f305cf989e9cc51666228dda57da903590db83e88afad1e129f5a7dc1645c2b4f610803b192bf9f306e427c51fbbeb35f8d573a5c037

C:\Users\Admin\AppData\Local\Temp\EMEE.exe

MD5 4c30e2fc06bc101e3422f17bd0add8bd
SHA1 02970f5d92cb58425e95668ee545fd10fbd05c5b
SHA256 4ae31c347e60f33af8e5d6ca560923298bc9a456c66de6a51ac4f48001d01cd0
SHA512 8f9f60f9752fe723f70c65978b86885da6c41567a650527f6edbfed1e8b40651e2290577c1f95630a05f61ededbdaae772ad76eb3246c412eb1b259ceb0f9aa1

C:\Users\Admin\AppData\Local\Temp\scYW.exe

MD5 fb285c01ca3888b0dc67ca6801281cca
SHA1 894a7ace761acee559dd806da812de304f47b7c6
SHA256 caf7bb962fbbf4dd62e371ae288cc250042041c0105d09417c920dc618f4ddc7
SHA512 f34387de8c45fd560cd0f94d71b6e530b0193ed2ad9dad1913a341f7d88c485253757cb0e44ec632c526608dd116056c6bfe067ffda708680661983d9ef43fe6

C:\Users\Admin\AppData\Local\Temp\IMkc.exe

MD5 bb66dfd953a79ff07c85b28c7a895c0e
SHA1 0e9e2a5100b020a17653d91369ab497b5ddc09af
SHA256 c5c1c22fbd04bdb65654256c7233bd677d6a8152ca3d6e9df79afc9931f5e919
SHA512 8d49b10ff26817a137380504e90f6b664b8308443ebd71d11e6a44e9b38963d7568e80dc0886eea7d7ee818a857fb3a99ddfc6f9da60c2c10367981333f5e846

C:\Users\Admin\AppData\Local\Temp\oEAW.exe

MD5 f6d1765c1fc7400f50096b2c850fe3e3
SHA1 f0ebdaee8b7ecd9ca8873ba3b61f2e5441c06590
SHA256 c76797bce20c68bdb3dfca308483b781dcc164bd940a2870e024f22a52191114
SHA512 b6cd6252f9d26cb9d84f2405a00b4507b288c8a1dc2c91c3dea56a6d7d434dea55c237aaca1eb7613bbd857b13a6b5c7468c620789b8f2f7f791eb64767d03b0

C:\Users\Admin\AppData\Local\Temp\CkQG.exe

MD5 8748ef15c9ddd999393ed8ca94b59914
SHA1 a125b8674eefb3d26cc1e9f2d6eef800f4de7e89
SHA256 09b772a24727ea97436fb29066e62464d5709a2f73224371eb5d44c047072233
SHA512 3d4cd090b82525237fc148d4236fc6f8821673a35ca7af455241b850ad3446809e98f504dc6fd82d0c813c85767f1101e4be3aab3122cd3fe3bc5bf7f011935c

C:\Users\Admin\AppData\Local\Temp\eYwI.exe

MD5 4496b38b686fc43740e2c64dea5c6771
SHA1 a5d35c90881cacd3af2ce382d5e7a2f3e86f9c7e
SHA256 5d54ea282e0c6f1c06519184d6c6629f24ae60b6b3f1ccb35a12c52a5dde096b
SHA512 c8a0ff33d8f9ffdd65e434d9d69e06449c24989a4ae823c785e7d5c2a3712c1c44362a3cbe7749d0ba93d6a66995c9bb816d3b12caea6e572a106c7d122b8261

C:\Users\Admin\AppData\Local\Temp\WcAo.exe

MD5 5f9039c7b49d98d63ee5c9f54fd4453d
SHA1 f3f7d7b5485af2289ca20f0e01826722a2d531d4
SHA256 b3524ceffff95bc4807d238d5347b071795dc87123c2d1ae54a4e4cae0b8aa7c
SHA512 a0d78b1021faef58358a0a2121c470e86b446c0000d2c0fe9c3d4bd60951033835a1ad52f5d7a515bb2e90d7d1a53f2f657b4e4e8602d22966a67c83e9f4137c

C:\Users\Admin\AppData\Local\Temp\ekUu.exe

MD5 27b949c8ef19ee94642894e5a82939aa
SHA1 715a231f739d7446c880eb15325945726cc84231
SHA256 78a6d42580d187e4160816514e34663889c2ae836135cbf0051ecf29b4d727b1
SHA512 c7be4464a233ea42610e0f58fa6de2101cd569dac89dd1436fe00c0b0113bcfaf640ef28a0df5c9bc0ff85d14395d0426d2228676dc313da081d239c3e2405b0

C:\Users\Admin\AppData\Local\Temp\osEY.exe

MD5 96b38ba40d5381241a8bd9eb85c5eff8
SHA1 5bde0c87daf2d399971c416b3ed6ac0627304bae
SHA256 db915c57088c6290053233a4977a6a617d80c7da08eba3436de4833e2e49be16
SHA512 b8b4bc27c91fd888b6c275f635009690b8443c34a97acaa682a52fa94eb3d2d7021eff3d2743e7c6910c15d690954ea1070fb7acd4b956c41398d4bb3b93e106

C:\Users\Admin\AppData\Local\Temp\qEUQ.exe

MD5 6d5bcd264a66a1d8f57b096860055a63
SHA1 9395672a1989205a0a589c0f7834613ece36d6cf
SHA256 b1aaba066b76fa00a05c06016843e143773f57a6c65af37371a61733a3a0f18a
SHA512 82377e9175e4adaf0ba314c32fb7c0f4693cdef1c8464d3cb20474a1c2dcff4d7315c19a5180c83f8ed037bbff2bbed9ca6145a9cb34707b655f3175b0c2d540

C:\Users\Admin\AppData\Local\Temp\OEYq.exe

MD5 8ac08949240a0ba2e338b57a1b6a321b
SHA1 11c2472546f0a274ca860fa7d4030ea35a1f68c4
SHA256 ca604b28857e9029516c59db6c2e7434b6218e2fa82fb1c4c23c724273df0def
SHA512 5ff579a5902f796e8831f6a2eda8578dc5569f6ed3ff53ddb8482d71d5224fc568d9c595d299e5f6e9dceff3fe855492cd652a96e3b682722e8c059545e28a04

C:\Users\Admin\AppData\Local\Temp\MIkg.exe

MD5 ded8753d4838649543ec01b35312ba6f
SHA1 ae59d02d915b360562e652ce78e415a0f8ccb248
SHA256 a754d085fd2ec280f61ce003f90b080ddd40e8cb7ceb6af8bc0768a9c2d8fe48
SHA512 68a9276f908beab4cb9c2abdb393d62cf42bcab8527f9145617b5904acbcd972b47e96803e5726a02376fa9bec59cbba01155bdf5bbfd39c4ce897ddb885260d

C:\Users\Admin\AppData\Local\Temp\mMoo.exe

MD5 4b217880dcf06882cf4e18d99d40d2d1
SHA1 9cefab2bf470d8d601361ff5d256bfc5d546f916
SHA256 bf40997eb3ba76218d035fedfd074bbac6acf9f7e9f8b6a9521086fe16440cdb
SHA512 781d99385e3b36767b5e89258bc4d1c510e44793f4218210300eb6735e88a415f2af166c6fca3ce3fbe76b221047a6345dd5dc8e056552f885be990c05e2556b

C:\Users\Admin\AppData\Local\Temp\mIgM.exe

MD5 46286caf960f98b0ef92207889d58ec8
SHA1 828021e58cb5eab8a11a817dfc334470c5221624
SHA256 3d423e6930ac70b8cb552e151a72e36fd8ffe4f42a769be4e594ac9c2433392a
SHA512 67e84379f4c2dd8a770ebf3a67c7765553a8442cb37edb4c1b0a1f66663066eadb03ee84aa61271c5c203d0c48c1c3fb3e19f1040a269339bf2476f9ac09183b

C:\Users\Admin\AppData\Local\Temp\vwwYUMYA.bat

MD5 17cc17180161915dcf17393e94d1bed3
SHA1 3f8c57d81c6f5cf8c2dc43e589387638f3d6838d
SHA256 d6904ce655cdc4a6a40f1fe2c0ff41f9eb051e5c60ac0880f923cf705041499d
SHA512 868aae3525ca098991114f4a17373e6852859c1e1915eaa61ba322655e1596c1bede0d4c847e3a9019dd1891e4c6ce35a1ba4f7e570437dc479fc90597eebbea

C:\Users\Admin\AppData\Local\Temp\WMkI.exe

MD5 fead4a6a765f7992e93be79ea5050f74
SHA1 81c3c7a6aa0512a1cbaf2ed91fe265dac9223040
SHA256 4634aa8befb8a87cdf48b10ff6afb07171c9152c86aed7d9afb23bf1e542d4a7
SHA512 be9011f1206c4c4f86c626b54d95272dce321f49d31f24ce0c296ca09bc9ccc962bbd57270a1006dfb5ca76403f41e30d9705071989214acc919cb2387294f1e

C:\Users\Admin\AppData\Local\Temp\MIUY.exe

MD5 93050351f0a827033f4ce5e393dc420b
SHA1 19f1b19d1afd45896df805f343bd4a4199e603ad
SHA256 32ec25d93ac0ccdb0a9a8e1390c15a329d3b473dd8f1481e5ef5635491187ed9
SHA512 b25b19fd08b187b00460f02d8e1dd499d296775ac992f246e14e3600ba1c1bfeeac00f953bec04952a2cfc068992e90df4b73f704213d5e215af5253ba80ba10

C:\Users\Admin\AppData\Local\Temp\oggw.exe

MD5 d3f5ee7de31febde41ef9b1566b13d6c
SHA1 449df707bb3bdd00747f5be0095192e046a8add1
SHA256 c3a7783a25fd88698ebeed9c57e12f7f0a6065e6a06549ffd601b8ccdadd1008
SHA512 62d57ac09c2314983b26a80f44992e18c9d508bb1bdb7f49803d6ffa29579fb9cdafb238f6c29c3b3187f671173e8c687a0ba06b496d06b519cdd1d644f3879c

C:\Users\Admin\AppData\Local\Temp\cgwY.exe

MD5 1ae8b33e0740eb04880cb628255481b9
SHA1 acbef57a7c337f29b0a39d173e7a8074d133e9c3
SHA256 a041ce60ce66cc697b89048be33a05f29273af4d82121d5926f865cfe856db0c
SHA512 78ef2fd3a981c63df09864c3848abbf5dfd7f2415293d76930141064ad42cd798224940757cc0187a82d139c189ff824e0d259d2e9339a6828d81ba155d8162b

C:\Users\Admin\AppData\Local\Temp\mkcA.exe

MD5 c294c4cc70f52434ffe74e2cba377528
SHA1 d76b0200018e22714ce824d9eba9cbec1172fefd
SHA256 bc8539e89a19719b406c697e42d8319773454228610e28442006d70c44e0ad27
SHA512 4937db60573ce92504941c19828cc1bf5852db9b4c59f808c402552fda1316a1e410d02049fa89517d67190f495bc50b02a08671257281fad318cd521acaf3cf

C:\Users\Admin\AppData\Local\Temp\msQU.exe

MD5 4c879bf2c4b721df2c7af04181986371
SHA1 d56d5c3ed846e7f781922d21766b35189275da30
SHA256 be8eb9d47ace841f2ed95938187ebde635c2df8ffd575533ec605fcc3c25111c
SHA512 293ce0707721c47f34f75a5985e037cac4238d8487280d4977da67e56efb4435bb2118de10ab7e08242ab3b743ffce32e53742cc9833d81385bacb73244129f4

C:\Users\Admin\AppData\Local\Temp\UcoI.exe

MD5 fb5a727d55c03cef3850be4023b01950
SHA1 a7ab9654063c4d450a7640c50700956d44ed923b
SHA256 f9f4d747193be1f3bd04c19f48e895879b8018837bfd9309c5dc6fe52b61e55f
SHA512 2b357d99564b459d5fb487e7264cf88f1177a139befad3108075a7231809eedc6ac491532962a5118ff58a5c0cceda0a9cb8c5ae2ad2f26bb7b4f0321b4df825

C:\Users\Admin\AppData\Local\Temp\Ssci.exe

MD5 f5751ca74e8d6b59160d65f974e4ad6d
SHA1 894c8691fe7d420d09cb9c2255522690ade888cb
SHA256 50636fe6d014d1c0da5b868b0678b978ba92d2494d4ad36821c766c2c4e51b04
SHA512 e3630ff7e2422b0fbc21a7dd742a1436b16ee52ba8bf4be56af57f1d7663fae8ba441e6d4151f99d67bfed23807389d757b02706309327187abc960f352970b0

C:\Users\Admin\AppData\Local\Temp\MAsi.exe

MD5 c54590fc320d1bcb2d545fddfb999633
SHA1 83108224af7a3365ce134facf7e63f7f1889c1bc
SHA256 2e40864a36735fa80f4d7bf0e39876c894f973632aa69ff986a58eb069891544
SHA512 b36c2bf2a032d5576294d4a60a0895a6f9a13bfe7cfd2ff1edfb24ca0fa963823503f92a575497209fe635f3f145b8ae8d0f11686e06bebb6960938d6ec5ea99

C:\Users\Admin\AppData\Local\Temp\QkYU.exe

MD5 9486ba7f95fc78a0eeb36839f781e4df
SHA1 269dfae8e604975cdab55474218de1460be305fe
SHA256 5766326f44186a33f19b297f1c769016f4599b14b265d554fde206b9ca56c949
SHA512 b5f3427b034a7acee27d80f12b204bf83c16eb2b2ef28ce8d44fb0ba3bc0cf7ab9895154bd6f6e8119fe8cc1d1604b4350e0a835dd82e2ab7cba1992b3ea3898

C:\Users\Admin\AppData\Local\Temp\yQoO.exe

MD5 911d697f6c42a2b6e9256fd087127e58
SHA1 a2cde43d46bac0658f44cad79867032e1abe82b3
SHA256 1dd72cd26084c6a18d6d6e41c4b8ced4219842750025cc98811c82d9007f7975
SHA512 ea61a2d88089bc8a85a0b0276ff48de2363e37c5b5908d280968725a46fc3ef870973290366ccf714dc246ed0d31e0e5daac4dfb8022ba24eb7af3dff8587d06

C:\Users\Admin\AppData\Local\Temp\mAQI.exe

MD5 f99e494338e87e61ec43794eddfc8e92
SHA1 7bf4ed3e5d3fab25172e57227c2e3697dc9449e5
SHA256 19e7ebab193f8ef9316d42afa6eab8a0150616ad48c02791725b01cd52db1bab
SHA512 92e93a5371af654b885de3976d573e34a01d3ab5926456b2fcab1dd6bc4a3a0c42c63f5913b3c21873d3c07b02fcfa294d2892c4bae46a1797b2afb72c3fb131

C:\Users\Admin\AppData\Local\Temp\iAQS.exe

MD5 91b2dafea5a7945efdef37643a2d13ae
SHA1 97122c563b0327dd09366632a6833dcc52f3fcf1
SHA256 884895fcd4337eeb2a7f9c49747dbe9b196bc9bf91e89ce39a38c30f12823f5a
SHA512 ecf78af3679819a70889066527adf7cdfa1278ddce1b5062cc2d2a3ecf4ff05fef64e8f3699e4129f2f51be5829d42ed8975df79d0270c6171a26bc11eb0688f

C:\Users\Admin\AppData\Local\Temp\sYgy.exe

MD5 333a1d2d61dbc313109c7a5169fe63c9
SHA1 4ec468aa1e30bff049eab524c0b52d2b65b0144e
SHA256 73fbe061dea5f6af95ed36c158c49d9dcf70e12df09417279cc4c312f138cea3
SHA512 3b7e27f29897020c45f945e6ffdbb9a82d63d41727ba7beb73c2369ba1954e69721f666af823ffb2f4209d4184a847f50da667e73163b124c9cd81a0daf6f7a6

C:\Users\Admin\AppData\Local\Temp\wwQw.exe

MD5 1f8a0acc40941a9a02b1823a939201c5
SHA1 2396246bfb21015c49062fb1c212f124707083fa
SHA256 ac274a38672cca34ee64141e14f51a842a549a8f7f98051d4b99798b2020c73d
SHA512 91ce533180e8cda082fdc7cdac866d8d1f349906d402a7873ed6d63d3bd25f6e426311dd3d42072ab28ba4f1149c21ac39f2aa04fcb98ce7c039749d6ef434da

C:\Users\Admin\AppData\Local\Temp\QYUq.exe

MD5 7df6dfbee9d890261c37532270521d20
SHA1 24d6d86ea889988c1a37b59039720bea2daad3e5
SHA256 9614b031cd926eb22f2b5bbfc1d7fb82f3fbb13b80e6fbb1ba4010f34f537cd1
SHA512 095a140a2ecb6852721a27b8cd97ef60cf02a32791a8894c4f31d49c2e0c080cfa8e6c43905febcdd160ddad2d723aa72793ece24a8e9407cb60cfcccacae16c

C:\Users\Admin\AppData\Local\Temp\eEom.exe

MD5 cf7aee12a179830537b8dd6ec3790636
SHA1 91946940967fb24a376141f81a7af3d9499f046c
SHA256 421905a204f62dd5cf15f6a26c9bc34abae6a8b16a238aecd2858e601a49e696
SHA512 f0ba783c05e64d665db667cb60f5333ee48ec3d00e1ad8368bb2714e495549573dd775c9232aad7c0b0aa0ed3f0002ba95c74c30c01623ff569844528a16986a

C:\Users\Admin\AppData\Local\Temp\VSUAEIgI.bat

MD5 a1a592fcfd4c09cb60efdc599179755f
SHA1 a9c53ccb4f5451d39a631b50475d7fe9ddf2f9b6
SHA256 33c44e155320337d6dc713b69237dd8096a2ed79b47474c338889a93b52aae2d
SHA512 a9f5db552f8c41d7b9518c491ac09e0ddffc61cfe9814e51dbfb450603e644bb6118e7730bede712341c1091973b11392a08c9f2f1d97eaa3fe81e5d5786ba3f

C:\Users\Admin\AppData\Local\Temp\Eowe.exe

MD5 62363dc8e841d9f362d91a7578bdb34c
SHA1 1cdbe03ed5cc82a2a9b0dee207d4980242e8399e
SHA256 e007d9d64674e50c7d294fd69c11d2b3c63a78a1ccddd2fdcdb8b37ef830d587
SHA512 930eb4eef96da33afbb95881bedef00dd517e3e97cf37fc10b7a1ff0f27b41fe9043de567eb57bf30741d2baa0156ecaee160d620268e9627dc7f2c0db76502b

C:\Users\Admin\AppData\Local\Temp\gogw.exe

MD5 b1d1af10cf73435083a0534218b7f958
SHA1 267e263ecf70e55407a62da83167ec1e253e013a
SHA256 d6e382295bff1a9c1d7bd5d607b85a39d610fccf81a755c058532b604efc93ad
SHA512 ca6f369d27ab1cb21b77435afcd3b770a39e26cdcee219931c0fd41acec37a75905cc331121c8b69b047d630bfc5e36c2a98e78fc2a0738ccdce598b6b3a1260

C:\Users\Admin\AppData\Local\Temp\EYQm.exe

MD5 2ddb57a4446cf2dfe079e6c10602ce2e
SHA1 dc0e1f9110625d1881a59c6096490073b0ce0b92
SHA256 6a7bcc7bbd5a75223db2a3849ef8932e7d668b041c23baf07637f437615e28da
SHA512 fbd60c87a5f90e5d5e418d86376b238cceaccbbefeb6d3feacc5fa51dddf4f605668368188cfb42f2d6595fa2b14fd9e09eacbf8c47907af29c6d1194ea01846

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

MD5 65001273f984634f37719ff74a34742d
SHA1 f8fd7282ea6da0acedb9a3ed2a3905949dc58bab
SHA256 7b0a6b54ed4c308b219e5c07889f6cad5f4b80ad9b1e80727097fbd46186944f
SHA512 6fdf17b15b699a317452ca9d8071b7714ab165b2e55ce1c3600734a3f9f91cbbe9fa482e5a99d4f76009d0e234c2ea393de22b6c75199821e960f235a2a74a76

C:\Users\Admin\AppData\Local\Temp\EEII.exe

MD5 a1a0b1747c48a741a8f8473c49ad7ea2
SHA1 0a84e0af5f41e4d7a3c8bf30bc6a677213225cf2
SHA256 6de93622a224a9b494117c81a21f375f878e35b1d2a4009420e00ebeee90b4d0
SHA512 dba7e1e7e4011034fa2d19e93b0791452a25c48ac7d1c5afc1e1a83f85deb7714a877857ab1d9c41087a9836437ef32155278c0702919a828fba399eeac81176

C:\Users\Admin\AppData\Local\Temp\CEcA.exe

MD5 8275df7a1f77c5fd818cd269b299413c
SHA1 e2410e44674dbec7e1d1e51079c8c2715881f722
SHA256 64de76b3e57cb8531e8c779099f1c11557858fd1e268faf0e5f2d9c03a671570
SHA512 957037bcdf62484b1f02f460f42de732256930315b80bdd115abc9d05db04380be995c76eb8239af23832b129e114f7f89993fd295a1c9974f90053734d7f9d1

C:\Users\Admin\AppData\Local\Temp\MwQy.exe

MD5 748d0e6d383da9b3a4e50723f4ebefbf
SHA1 8d9dba27260248fa9b1c7575f176e274ee47aaa7
SHA256 8e057fd4a273a30ac9b92bc790d4e53030f9f26d10c5e2aea116c10258107f82
SHA512 3c72264cb5bf701ab38adc5b27c32061e7b1ce22ec7506d97323078782eb80d0b08471340c1658ac8a80e6b581a8b5b275b88a2c024b32381b3edc263e1c0855

C:\Users\Admin\AppData\Local\Temp\SYce.exe

MD5 80b30306394115dd5cdc63fa2dcef6a9
SHA1 0c8a2f8923a8537b1a30b4cb9c6cfda538ddd1f4
SHA256 ed2a8d721f0be8742330c55ee0b6fb43f8154d72add19eb59ac377f231afd2f8
SHA512 6a731d30ca3d03af38b6910238f65899d4ca00faf08675d7ae68fc9a7a39f6061c794d8e88182af3deb20bfec3466ed1db737b3fe44323c65b61b7124e1821e8

C:\Users\Admin\AppData\Local\Temp\wkQs.exe

MD5 9b3c86cfdfc0c7056587582b392fbc56
SHA1 d5ed80bae236ce6bcd5fef20bb338331ff902ec9
SHA256 90fe2e4918a2fed7a38a00c5f29aa3e388034c422c4bd3b5d31e2189140c027f
SHA512 15a5c69ad87c91895b14bd4207b5826954dd56422fbfc6461d66ea8a0e8cf3298561005fe466b91691d1f0e87d9c886e20c38d1e1a28c663ee34a7965fd4a1fd

C:\Users\Admin\AppData\Local\Temp\KYEy.exe

MD5 c851fcf58d11a7e4dd6963c94f20cb43
SHA1 c74065e818432a12e59f22fa42ae3686f0187bf7
SHA256 2720dcb8200e616afb9a9b65b037cb457684ee0b61e1867d35b250188e378704
SHA512 0ec702f829820da4f1cc7e98471f91b78b526975db4831ffb3d161e731c61a769fa63887a48c125fb9836c8fe9c61e01ad1d8a94ab70f1e8af38c2ef4dc1792a

C:\Users\Admin\AppData\Local\Temp\EMoC.exe

MD5 1d3a66c9c0072957651ef837ffcd1de9
SHA1 ff997068c40e1f22772dfab759c836a6c0c7cdd2
SHA256 8c7b56d044e628ddc9bca7d37d7d4cd68d7f89610e49e7acc7640998743e274d
SHA512 797d60bde396415ab6f669b5eba4d2ebc32ae89503e77abd52e16d6cce4b394b08846d4d77c15fbd1cf1ddb491a64bdf3f2843068999722cea100b298c6af3fa

C:\Users\Admin\AppData\Local\Temp\kkcu.exe

MD5 96ea1172159bddf6de38f203483a9d02
SHA1 4898fa2ab2187d9320b663ac118c5f60f7f1c349
SHA256 ed547d5d6035f7ec69a175ce9eb539c47eb516e4f4af5a534bd8db5f990d0abd
SHA512 ecc3208637c51490ee50d6f5f3735876727102e470f418382ffc7d688d107827dc2d0c390bf5da2dd0b3a52b93547c906b50b2276b79f55aa2f598569e13e941

C:\Users\Admin\AppData\Local\Temp\WMUS.exe

MD5 32a9c2e0af04e549d31f8b5234dba917
SHA1 2b8842d31faf7f9ab3ff80d314ccd5fdf8530cac
SHA256 7cfef085fd71a561125ab210523c247a4a534a6a73079f431ca79d21ab27a421
SHA512 ae38081bb7de18bc5485650a140a9615040d0b968cc6378fa47152c25acd0127003594406f26444dfac2ad7ebad6334b2a50a1c911ad50e8011a2a3039f8faee

C:\Users\Admin\AppData\Local\Temp\OEss.exe

MD5 804b85c75570e00808b88373e7bb615b
SHA1 3a1319c4aeaf10151482f4a8a7828ca46afba95c
SHA256 70ed7e74895e079e75bd8bb62406559299c8a75b2045ecd533907b0c888a6e9f
SHA512 23fa81e1122bac0fbece11dba4a16931356cba5b9da95434533a41bde6ad6529fd5f913c9152b88b65d715514945aff140fbd8bf9c289af591d73faf9c16e5d8

C:\Users\Admin\AppData\Local\Temp\yYkE.exe

MD5 a2df118ffd225b3d18417d024da525af
SHA1 18246c9d5aff82596363d10fff56655e321b0367
SHA256 b10565df912d9f720a76fd8d9f205c1c17efa8ba4289cc4a73c62d66b02d3260
SHA512 779ae31aaea330f6ea4dce19c8dcfdbdcd953991b3fc142b1cb07ab176fc55d31b5ef7222fc2df7beed6adef4a5f621c60e3a76e0eb774d97e57a83cc447c4c4

C:\Users\Admin\AppData\Local\Temp\Wsos.exe

MD5 85ef3e4c50d943e689c8e8fa0e7d1b42
SHA1 9bcb5fdb64afa444780a19971e75d4d6f466a0ef
SHA256 aac6dd0ff0fb28040789f8dd2988aa7df45f84df855fe795f951c7e81dfafc40
SHA512 213b1c381ecb0470f88b82051e416a351de80bd3099f45f6e21c48d2887aaae5e60e953d579d8d2cdf339a77a43ee999c013c80f32eeee4d6d83e6b5673ef4c1

memory/2692-2452-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OMss.exe

MD5 f15aedd2dfd9d22f6f7edf2b8e576b2b
SHA1 8777db0179042db6c6a18e0b524c0dba52939281
SHA256 df9800c296e5d65ad49f3b07f51fb4ba509f1b46726b437831204918c1eadd08
SHA512 c1e341c298bbd13dc1a20de65007a5fb469d7fc3ad8b307e54eb3efb65e8761035ed3e34aff0c453616beee5b06df5fa99f5185f479d6e34a516b852108934ba

C:\Users\Admin\AppData\Local\Temp\qUcs.exe

MD5 800b4b9c7e4b12ba071595be7e1a8df5
SHA1 3fe1b3c7dadfdce0368a0e77c6cadfaca1f8a3f8
SHA256 e4697bb7dce75ed8d7c5e6da8ee08f07e16f6a6545106dc6a7d3c2ed237b909d
SHA512 8220f8bb7c5da18f0231b502bfb9ed3825915876c29d99401453af50bbe1eaa2273d59ad04f27a8e47d8b6c0a58bc9a317baeae57549aa4ce21c19aa61c37100

C:\Users\Admin\AppData\Local\Temp\Ecws.exe

MD5 8ec52ebcdddbc4ddb53161ea360a3bea
SHA1 f1f701cb08135171aeb2b593e5d01ee402f15fa5
SHA256 c1c1d3c32d2ac81acc6624956e971f87f5a460ac11427793c0c3a6eba9a3fea5
SHA512 ccdfadaaf0b05574614e34350b6b4327b4a4e3378b494e9f38cff82e4e0b9fb68c58b78f3a6ddea9b385fd34a0e5b84211054f1f043923d8c74adb57caac4e38

C:\Users\Admin\AppData\Local\Temp\KkAy.exe

MD5 85d714bd7c9d8bf7fffa5a1595cc9eb8
SHA1 bae0bf2ddc40dc3f043c3a315ffa81190791b65f
SHA256 13396b5b1987e60014bc57b5d7f93a78d0c80f08985d76b11deaf4ed66dcca08
SHA512 5220857f4aee4d21dc75a33f9cbd871c69f9cead37395fa373a6530a02684585b070c8a8c97dec6a4eb8be1efc48ba6d9154dfda912f89b80c11e2e5c49d5e1e

C:\Users\Admin\AppData\Local\Temp\ywEY.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\EIMw.exe

MD5 fa4301d42074e4fdf6822e454afca9be
SHA1 b490f148252de540eae3c07a194a2552e054da82
SHA256 1d1ad32c544473a655679238a2ebaeeb908b32e60d8c36055200ab17391d7276
SHA512 3ba51025c5f1f50546273091219f7372ec1e8781f334983f9599249ff0f3af182ce1ef23ff0acd1eccc41b3f05082658040b162d7ae80666ac58b9b2d7111753

C:\Users\Admin\AppData\Local\Temp\cioMgUAQ.bat

MD5 941c2545890f54a6069aa113b64081f2
SHA1 02e6cd1a927d122069a9a268f9605dbac0a2a910
SHA256 cfd58b2b734a6d8577834a84d7bf0a21138481798cf5d2af1dc6e8e495cfbc2c
SHA512 0a7266f490013f0a9e0bba2d30115767d5846b741c6d479cafd435bacc84cd9c669f7899737a927d0b81315fc3342ed256277735e6df576abd760acb6093d41b

C:\Users\Admin\AppData\Local\Temp\qMsI.exe

MD5 6aff4b879677fdd2bc6a6b3228e06852
SHA1 02fbe7bab3969b27ae1d37305193c3796a2cc594
SHA256 42b903f1342df360912d989570e113028aff01860893e56d3405b047d546952d
SHA512 9161e35c3d62dbe6be1d6ba3c8976934f4df7e5642f48f2c0bbb085f02a717da3fcee645a64245992ff270c70e4c5d50b34eb206b2a0302c77389828a1420f58

C:\Users\Admin\AppData\Local\Temp\IAMy.exe

MD5 7b2638dadf1788c756cc5baabe361c33
SHA1 5a5d16ce035871c7b0bbb9a0f4667e83b9fb0b5f
SHA256 c9e5e9a8f822ff7c404b6a368497b05f4990d8b6683c70e30c94e4215f457d45
SHA512 c526a8eec3038f1224f42a7523f0e82e95be095bd33e6adfc563c6861fd27de357983a420b7ffa11c57f4061bcc701a95bf6a2f57ac4cf8698becfdf1098b560

C:\Users\Admin\AppData\Local\Temp\ysAIgAAk.bat

MD5 2d99cb8e1ad0861bd14feb06522b88ac
SHA1 1b2e70051e56adf12472a38769fc6d74ca51ced2
SHA256 75e22e5f38be9ef6e4eca27fe3dbda0ad8ce0c1b7c8ed968c01c849969974a84
SHA512 570724388d51af295b46ba83dc2c83823cd1c10d78fefcd1b543b649e1edb7fedbd2284b53ef0094f2a4b97de7e4e5b8fb8f0d6d0c4e52616fead8cb26a4ab6d

C:\Users\Admin\AppData\Local\Temp\COocwMIY.bat

MD5 80dede9b81695d49ede9d4f3fcf6de2a
SHA1 e208c906d800def8861305b2da1d0df53b6f2bb6
SHA256 5945a9d0458c6e781e93908b63cdb25bb92b7bbd5c2e16dc5eae7f579cc480ff
SHA512 2485e7baf3173df7cf1756456d68520e8a9f1fbfdf453be7a4d57b74bcedd7ba66b384967e000a818ecb14984d022f6e62f5909f1dc509f332dd893f42fbfd3f

C:\Users\Admin\AppData\Local\Temp\eEcG.exe

MD5 f95074069175d565857905de4db3b875
SHA1 08f718c22f235a4c7f2296a702ed1796efb86689
SHA256 02f867881b97df312faa6cb093562dcd8d618a867b80cf3479ac8c1ba777f01c
SHA512 7ef77f72aa7521cbce803a78916d62bd6fce151cd0fd15796f86a3449633a0c2411e7158ef031eb47d542117809e126ad06261ab278f465bd6a9dae6374460b7

C:\Users\Admin\AppData\Local\Temp\aYwG.exe

MD5 ec02eab59aaf4d5835d6430386249323
SHA1 4c85670b045107e068a6e5c6097d5d8fb5d86697
SHA256 32027c5cf6fb0757eec307223175b24cbf6db981b978fd46c7bd4754fc947879
SHA512 039a18827c3fad67bd383d9fe165f32f4eb5f73a8e7569881a90168f44c4f8eb7924dc4ac1066f49fae0e030a10ec733f6da9f3008ea068cffb85d2e4e8857aa

C:\Users\Admin\AppData\Local\Temp\EksW.exe

MD5 a16cbaf775a73355a558c5d395a1fa0e
SHA1 e79f23f2a27caaf8fbe6adff08fac4f6a83141d0
SHA256 376af0e0741adebd7cc8388e4afd8f095301bcbc6d76cca6365bbf6478f210f3
SHA512 18d101ac90e5bac3fed079afd33015ec7fe1e087b79190bde5ddde88a2e44b22161793fc51d0c13e9e8ec939db0a7f6bd1ac72f91a35c8a0eebc787943d376a5

C:\Users\Admin\AppData\Local\Temp\gsQo.exe

MD5 d949f64f51d575592d41f5d190f95665
SHA1 954fac36bbf756c3d775b8af9c4a9dbe2e662d40
SHA256 16fc7376423ac0f0d022b6e0687752cd1758d74804ccdd4d16d0af8edb423b9f
SHA512 ac4eb4f03ceb4b370d883555a61beb0693a7fe25569dcb961bafa9adfae0b316170d4aefc75f64eb76644bcd94a3bf666e75779a4e4e06636aa32f2fc8de9e95

C:\Users\Admin\AppData\Local\Temp\eEMw.exe

MD5 19a1d31931863a7492794f3ca875d356
SHA1 4b8db4a101717c5c922ec31c49bd9764f3f8be80
SHA256 c16a73820705d735242994353e2a4d69d19e5fe92fd7717ebc94994b836a6903
SHA512 9be3715d0e4099eb03fab3b7a9ba679e139b56141c839b9c0c74a673b588a985b29df41d2a57983e38d1215a3d1f91fa1f297517808f765c9e4eb68df733eeee

C:\Users\Admin\AppData\Local\Temp\Qokg.exe

MD5 14aaf37fb7b63bb35313176ff6a7c134
SHA1 23977fcf221071d21a89ba708c434e9152e8cd71
SHA256 e6fd0cabf18dc23539ce1ac851c51b7713b5c763f6343d350c23259389c28931
SHA512 e4abeb46c311e85214bc359cb06f123e3b5c3418e0b1eeaa4137ba0f3a2fa5f07de8796667ed7b9b5351012ca14bdef8e93d84b396901b49d9301aedf2aea7da

C:\Users\Admin\AppData\Local\Temp\PMgMgEsQ.bat

MD5 75a14aa7cd7ee8dbd867f9bc8bacf9aa
SHA1 36be03ad4526dc160a780315a7df3cf580c8278d
SHA256 155614038540e4426e2e73450b03cddb611e0ce917d84816d0d4c9654785993a
SHA512 5b5c943b376a37ffa089a87e864b361ba3b8b23e414e7d63257a4044f5d82df182d36d88a5fbbbc39916ea88831e33cce21ac02aebceeb97daedf866f5116035

C:\Users\Admin\AppData\Local\Temp\ZIsoUgwE.bat

MD5 421745fe6291e638a5db0c570304a411
SHA1 8220d6760ec6926dcfdce5acf78f0ba523559a28
SHA256 6900e77f9cb35e56b24ec731f7ad337186975a01f7bb6bbca141148a8e27c38f
SHA512 7bd329287968f1a90e46c9a0f793fed04bfaa06dd204ac0d18ca9a08adeaea438e7431160ef058a1e3800048e8cb83706635e7f77ea7dff5f9ea278a0561bf58

C:\Users\Admin\AppData\Local\Temp\BKMIEYAY.bat

MD5 d4c3ea4c8a74166dbb452369e684ab61
SHA1 44ba200e4744df46c29f094faf3f353eb344c3de
SHA256 9019e9f89504e1bc2acc225b6b7e5e68cc9e0e03c031b6efb5af2590317bd4d6
SHA512 5c0776d22c25c623fc61e408b2ff1f8780ca1f588e0f89482d17d45036088d6cfbb4f1b7046f3534491eb0b6791cf8c253bb8a0b236240c7f7d980371a765914

C:\Users\Admin\AppData\Local\Temp\dEQcIscM.bat

MD5 6a63230302bd2e5a5342b8d2ebc65940
SHA1 e976e317dd21e741e3723a163c65c9e98d950694
SHA256 616097d5632473d51ecffc5068622ca96dfc4d5d629fe2b797647591ff0212e3
SHA512 7f3ef726195beffdfff634fad58c5afb8074424ca6f95661b8f1455e94fa886b3eb5a8cc773768e31fd663bd58e3d9ed04ec0fb0b818163ffd911e7c461b319a

C:\Users\Admin\AppData\Local\Temp\ykcMQIMI.bat

MD5 f2db8d82cb8c5354a344c6562d9b1e99
SHA1 1fcb16bade1e2c20ee0d66d6b03d0e5e8cda0a38
SHA256 795bc23b54b116f99ff80cb2b807844c38547a5d6a2b47d418815dbf093782f6
SHA512 74b2bc96a65dbe4aa172c837a8f05f06ae5aa0c4b807696d3d45fd832ed8efb6470d372c5162b23b209096dedd0bbb5f48ac5ae9f1e918fb2f938fdffb8f815b

C:\Users\Admin\AppData\Local\Temp\kOUYUIcM.bat

MD5 154661b92cdd9e396fc630731f03caf5
SHA1 a7fd77d7f1d4f65c0fb74feb41918e7342620d68
SHA256 56d56097171601cb85db59cd269133f1b2414b9373e7d7b902b76428af06fbb5
SHA512 a5e4b03b5a5997bc4694b5cd17e6a2abda61da11e7a7f14d723f969f09351b44d4774bf4f94a7ed397b612230bd82f47221c55ac0fd5466cb60ed1d787890100

C:\Users\Admin\AppData\Local\Temp\EowMkosQ.bat

MD5 e065f1bbc1474760cd5f55f0249e7dbc
SHA1 df19a712b32dad8cebffe8b9c0d13f1e3c05c412
SHA256 0efbed6424248a7c5ecb371fb62788836f4d115112e8a806c4812df13daacef8
SHA512 04406b06687d396056e6df1f2c312970c1dc64034e88682b5f7f36d75978200f0240933feac439279f77cf8dc50b43ce19e9355ddb5340bd8bae372f0b141566

C:\Users\Admin\AppData\Local\Temp\pGskgYos.bat

MD5 a9b3d6a83c8731d2f55c60724412d2fa
SHA1 d9c62d49088fb9592cdb6f55c48a6bc61b5be626
SHA256 6832b35a62ccc50f798ee6b53cb58983a5ecb3afd3a919d6e8c4457c620c9776
SHA512 8c393fd37fc7deaf5a9298ce6ecbc9ab586efbed4a3fbf5c3e474ff21f0f40ae62a432cebc417729906a08c965f2030107cb865078f978f4caf3459c0a262b44

C:\Users\Admin\AppData\Local\Temp\NmsIcYMk.bat

MD5 2d69142c3634963f1eec122720df23fb
SHA1 cd2083ae7b16367c29e311f3da0aa77c682ea57f
SHA256 773d7702953b51b149d6dccc5ff5a9144179f54f043dfa7d8461da38c9f7515c
SHA512 1421b4a0f18fcb060919e304c614378bd7ae8dd47edae3561df6b825250b368a4fac9a1a33564035c619fa9a8833593af32715588bd328f4e9d30448150b80cf

C:\Users\Admin\AppData\Local\Temp\hOskYEMs.bat

MD5 36a9ba8822c9d8616d5bc230c4f314c4
SHA1 40512249a6b3979f2d02c8cb195960327238ce8d
SHA256 bc186c75e6a7d211722fbfa5bbc09ebd4d607f7e299129f64c05c9d9caa56371
SHA512 a4f213273c620989e49a395ba714648d71eceef208526b90942753c031de2e81e2a219db7aca017a72e55401936b048fe073b51de9acf8efcb6738acfb97c07b

C:\Users\Admin\AppData\Local\Temp\vWIIIAQY.bat

MD5 d6fe995e18ebb50e1f59c3911f30387e
SHA1 536f79f062362c11b2a7e57a9376bb32e8ff5208
SHA256 2072603f2e198c7ffab83dae614199a3d20eb61918b17ef8fdd5b883370e9426
SHA512 2979f8a4f2508c6082e67d3b1dbcdc883bc1a653107472f81645e6c12818ba6ca94d46d9158d58b3aa6e9422dac96d9c11b1be721e7ef172aaa3f14378c55389

C:\Users\Admin\AppData\Local\Temp\BUkAUgwc.bat

MD5 f3d83caefc8ef82b8268fcaafcb2129a
SHA1 b3a01f908fc5867575d03a1bcbd52e13f3ef8a63
SHA256 a8034a0d615a9d0dc96ac8afb06537b99f57904255d58c17e606b229b87948ec
SHA512 575b8212b8bd15c0a7a4ebf07580cc51c873b60aeee919d1acd897bb99d09404cd32c065e7f1087fa55ed7dccb1de854cdf0f27d49100dd0e41d0bf67ed1b8c2

C:\Users\Admin\AppData\Local\Temp\YkkEgUEY.bat

MD5 ca5209356300d5d59c0168dfad0729a7
SHA1 940fef87b47bf37e2485913e43b6960d20ccf075
SHA256 f1fac28c3e7957760d0c57acce9c348b30cecb53dfd95a9f33a2da2fd92048a0
SHA512 ddafd5841d567018f830c756afbd4e850f38fa8e2d869a5f4457f8e74739f0030690dd5dc95883f7a2552f5edc0ca31a501dfe6ac7cae1bc4c23b4a1bd773326

C:\Users\Admin\AppData\Local\Temp\AmkogYIg.bat

MD5 f29044cfc1be34a37011c930fe412618
SHA1 7a1d424e0457b80e08bb6438e737bd90d711dbef
SHA256 e629eb0cb9adec8cb18a78540fcc102adfc9b991127323968d49e2e7819b1429
SHA512 860227c3b0ca39ebeba6661f1e9c791ef50afa4fd37fc2d96a3791e202feaec704567e3a45cc0156169d0a850ac4953a5ac4b7f4c70543f19f4f9e52e305cc3e

C:\Users\Admin\AppData\Local\Temp\jiQQgYMk.bat

MD5 d70be772df98700a2c30d178fd923b76
SHA1 f7e2664a234b1502ca3a1589e00e56e589e0fdff
SHA256 05959f89dee2d38913b477ce1ae4292537ab6d57c1d1b5cb40efc4dc63ba39c5
SHA512 64be5fee10c8768c16991229efa33a943bc59d6d27ba69b6e98cf49a1d30e4b733c253af2469cf6fcf9c974db474fa2bd95de8433c85e0e9f619a10c75851971

C:\Users\Admin\AppData\Local\Temp\rIEwoUIA.bat

MD5 e011782570a44b80908a9f3e3aec0ddf
SHA1 d7d2a065979238f9b97af09515c361dc6674e7bc
SHA256 7ba76c31a3a4192e9e92e95909a715167c52cf7b60e4acbbe2c3003226214f41
SHA512 53c23f87108293b7eff9ada5663e152d1015658147954c0ce6348f26aa8a22c9e179ad32c3b0f304983e8e33afdd63d4f093c44661531a2a97ec8d8d1e904435

C:\Users\Admin\AppData\Local\Temp\FYEoUcwE.bat

MD5 3f692b7a0efdf7bbc22b315adfbbd10a
SHA1 2375ecd00c8361fa1f339704be742c993f26a9ae
SHA256 813b6f5bf0e8a43538953ef00c52e34d8da633b73c535ecff22363b4b02e4520
SHA512 a4f37bd755dd6415b37a6ab204ca47e4db6096d1eecd3c05dd97779e241a05b8ab43b60de2ff573406e1668fe112d68dc1ac8ac28dd7eac17400beb6a1bb4576

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 20:03

Reported

2024-10-20 20:05

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\FskkQcQc\HEMIYIwU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\HUIcUcgs\weQEgsoQ.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HEMIYIwU.exe = "C:\\Users\\Admin\\FskkQcQc\\HEMIYIwU.exe" C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZsIsAgYU.exe = "C:\\ProgramData\\liUEwIwY\\ZsIsAgYU.exe" C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HEMIYIwU.exe = "C:\\Users\\Admin\\FskkQcQc\\HEMIYIwU.exe" C:\Users\Admin\FskkQcQc\HEMIYIwU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZsIsAgYU.exe = "C:\\ProgramData\\liUEwIwY\\ZsIsAgYU.exe" C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZsIsAgYU.exe = "C:\\ProgramData\\liUEwIwY\\ZsIsAgYU.exe" C:\ProgramData\HUIcUcgs\weQEgsoQ.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\FskkQcQc\HEMIYIwU C:\ProgramData\HUIcUcgs\weQEgsoQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\FskkQcQc C:\ProgramData\HUIcUcgs\weQEgsoQ.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\FskkQcQc\HEMIYIwU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A
N/A N/A C:\ProgramData\liUEwIwY\ZsIsAgYU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3912 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Users\Admin\FskkQcQc\HEMIYIwU.exe
PID 3912 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Users\Admin\FskkQcQc\HEMIYIwU.exe
PID 3912 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Users\Admin\FskkQcQc\HEMIYIwU.exe
PID 3912 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\ProgramData\liUEwIwY\ZsIsAgYU.exe
PID 3912 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\ProgramData\liUEwIwY\ZsIsAgYU.exe
PID 3912 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\ProgramData\liUEwIwY\ZsIsAgYU.exe
PID 3912 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 3912 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 3912 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 1600 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 1600 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 3912 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 2328 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 2328 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 4984 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4984 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4984 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1644 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1644 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 4152 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 4152 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 4280 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4280 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4280 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1096 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

"C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe"

C:\Users\Admin\FskkQcQc\HEMIYIwU.exe

"C:\Users\Admin\FskkQcQc\HEMIYIwU.exe"

C:\ProgramData\liUEwIwY\ZsIsAgYU.exe

"C:\ProgramData\liUEwIwY\ZsIsAgYU.exe"

C:\ProgramData\HUIcUcgs\weQEgsoQ.exe

C:\ProgramData\HUIcUcgs\weQEgsoQ.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyEcwkAM.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYUIgsgA.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWMgEksw.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEIoMwAs.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkscogIY.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqUgwUQY.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IOokgAUs.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgscEskc.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAgcoMUY.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dgEEMQgk.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmgMEEko.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEIcYQEE.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOIQAoIU.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEoUIIwg.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZysoMAsc.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KIAwAsoc.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/3912-0-0x0000000000401000-0x0000000000856000-memory.dmp

memory/3668-9-0x0000000000400000-0x000000000046F000-memory.dmp

C:\ProgramData\HUIcUcgs\weQEgsoQ.exe

MD5 4443ff73fbb61572e471511fa7703834
SHA1 a05554ebde7c3447c9f765fee3770d55326e7cd9
SHA256 2da922c64b74726df3c2090f3e6df9ef9b4004a608be5567cfdaf0504d491e17
SHA512 5f2682d8e3c9eda560507357213f65c60b3129c296dc0dddec03db5c017e154c961e0295f02542d1aa8c058d3dd176769237d64ec2bcc99e30aa422f778f367a

memory/2424-16-0x0000000000400000-0x000000000046E000-memory.dmp

C:\ProgramData\liUEwIwY\ZsIsAgYU.exe

MD5 eb8c065c7ca5deec382a3d3d518b0f40
SHA1 20c98969172a02eb3b19f5fe070143bff10c243e
SHA256 33e2a9cf080c5cdb24a4675b25359a0b4213aa70c49811b1f4884e81dc7fb8cc
SHA512 c5dd3070bcf9c21ffc46481a8ac86e6ef3a1bb9f95728aa329cd44205b18f95c7bb066b9be7b3999b5c2d18f41a1f34d51a0196f0176901aa1b72f63cc8f94a5

C:\Users\Admin\FskkQcQc\HEMIYIwU.exe

MD5 fe4a8297491035be62492fa9e1be2c76
SHA1 eefa125ffca3fb9f52d3d45ab30051a7684fae7c
SHA256 523d9dbee415a40d33387f908a6f5632cf7a119a5f52307fec493578bcc7fe4b
SHA512 cb9420d647c897a5cb52452a0c63edee513bbfb19972c4077da55ce2435c415a363adf446334afa1b8b18e431934e4d533127f0fe8f0581df3e03ff8bad1eb32

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

MD5 5bacbdba9af42150c27b1a182ba169f8
SHA1 797fdb039b9fdb9d271119376d50a4e532bd6c68
SHA256 c30cf61dee7def852eaa738aff1f63b6a1bc59de7f7599fa11ae685d46b55835
SHA512 6cdf90fdcab3434b2b6b610b2daba58b71feb8f1394c89e6c6f9c424fe9351d50660fb4fc459b52352b77fdf3573edd4f13bff51078605972e711927dfae23be

C:\Users\Admin\AppData\Local\Temp\uyEcwkAM.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/3912-145-0x0000000000401000-0x0000000000856000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EIIM.exe

MD5 58f9eea8d4d12d9f463a8a14a79a99f0
SHA1 dc11e4c8897d86a8dc6f799dc152d8190c0f3699
SHA256 01ed20dca095cebfa5628b5714fd52f2ef34abfd1e8334f5377a694b5d2b79c6
SHA512 5ffbe239fd19bd2686d4e7b1f948f46808bbcaf479f13ff1236551f43cd3d4ae4d1a20009db489b540553d84d7ee0b8bf3b20c2a7a169e14c817c420260e6e59

C:\Users\Admin\AppData\Local\Temp\EAoi.exe

MD5 e56628a4582f75c38d94e4c2f0e2a67a
SHA1 71e76a13b1cba8e7a6ef6ebad50d3d8cd2c9d9b4
SHA256 c09f8ccdc73abc533c6e45815de003f128d51330b2a61398c5c557af507f799c
SHA512 90bbef089f0ecd8cf85aeba00406cf21d1b1df58951336a31ce433ebb7c30e35000281957aaa316087b52540d3d234a252127d00bbf35f3b43f6b3414d7c26eb

C:\Users\Admin\AppData\Local\Temp\UAAQ.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\ikMm.exe

MD5 d9f1ba5bf38fe4d73683c56e3b831e96
SHA1 987a05a928fc6939d6094c60903358beee56c821
SHA256 d0ae1550667c80c17c7b104c6107562ec56c02f9eeaa5fc034dc39d8936a7a93
SHA512 5183424a426bf38a3edc0a8d7a70494f5ccfccc40539df173732d3ed3bd73a7dce3facc843d2284ac12ba65e56e061713f1245042c8508589fcf10a14045a89f

C:\Users\Admin\AppData\Local\Temp\ygIE.exe

MD5 9bcec9eedc88ba872567c8e68d6ad2fa
SHA1 fe2529fd003326404d341f3e523cca248b7723e0
SHA256 07e875a019caf73783906771149729401604df26ef0a00ac95ead7e3255ab4e2
SHA512 0eac24148ccd280ecbf06ac0da3eed317d8797df227bc3d36f951c6848545e5886bbe77f45f38d99ea58d94cd771135e4f8a868d114946ae64c3a46c9f1d9ebd

C:\Users\Admin\AppData\Local\Temp\iUgC.exe

MD5 f97eea4867c7a72b16382f2efad2bd4b
SHA1 fab87a1f83da15dd11798a28f9e5f5d3b122ba65
SHA256 57b1bd2c564df8be8b2d0082df5c713b2d791b24c920be101f15343b64706208
SHA512 3b59b85b94a25a69248875be97ab1f81d9c33ac7e045077e850d47b1a4745717f1c08134a9796ba73cc9b1489a59638685cde5a40c01a4c0b174f127a562ee07

C:\Users\Admin\AppData\Local\Temp\Oksa.exe

MD5 aa169530b7647721a17b50b142580125
SHA1 dbab1a811ef52bc68121613ccf7a6c41565c80aa
SHA256 4968cb239da40732968c64ffd642038b8d824cdf0db25ed4b72fbdad5c1e0ff7
SHA512 91128daa557b84a73fbac7b2d02b89be27dd5d31b092abba78801fc959773ba084533fd77868167298261737e1442a42bc15b02f8d9fa09b96bcc5a5bdfdc059

C:\Users\Admin\AppData\Local\Temp\YkIM.exe

MD5 ea0803ff76b63a16eb7e9156430edcc2
SHA1 84c2acfb47581bced08df834e83107801d253d7c
SHA256 64e50e3e51cd9ca72dc6cc12db1c63b11b3139be8e8239fbb6ab03c313f56b20
SHA512 e41e8b6551a7c1860fad16dcc8832304206bce2efe3315fff13710be94f6d086e9b4b8e15d7ab48aa306c12b3518fa9814a5373a644eac2b03e567f822d287a4

C:\Users\Admin\AppData\Local\Temp\gEgY.exe

MD5 62a8804180832690a1b46e4d8f028f50
SHA1 fbfb668ff666f471e60f81076c0112edcdc97f5a
SHA256 3be388cae46d6f62f0bfdd4e160be0b098bb3b8731605f82f32ff4ce2078a1b0
SHA512 bc42c7e2137d77d92239160a7ca0fa322ba1642432c497896ef4ed8f5e965518d31cb2033f0ee38b55ceb53853c1da919633abaea21064bc689014d9a7eb34f5

C:\Users\Admin\AppData\Local\Temp\EwAA.exe

MD5 d3a1bdcdfb4a8ca0a9458120d4d98f56
SHA1 d9080d82131f5b9879a58cc12e465edb7da8ea19
SHA256 8b59da59a4d6d29d628668fe8947294c8756211d81f3e3742e272560ded51249
SHA512 7b10a2ef7eca4c3e16444a9267e7f21a50ec237101801dced844e5789f213afa59c279340d4ee5691c3861e65a5d13aa63d027a91f953841831c9663226b8648

C:\Users\Admin\AppData\Local\Temp\eMkE.exe

MD5 90702d01208b39d58f27a460d33b6c5f
SHA1 d5d2ff57b6aec7b1100d2c1eb0eb75b3cf4e8848
SHA256 6adbb2f0f6e3c050850333f467efc145b7e64b4b9cb18a2407a1d0d7fad5561d
SHA512 b6810569e11cc3550e9dba14dcebfd845ab837fa8addecdecf120a06596395561107c47a42c762530085e004b5337f2dfe97b9a5be423b9962f3bae1021c962e

C:\Users\Admin\AppData\Local\Temp\Eksk.exe

MD5 9f68eb178f79dbfff82717b633816cde
SHA1 e482505c85fd9b3fafa70d8d834d988c3df15ed8
SHA256 47ca0bd0514caf8c2c847cb639ae55d79a1322182129102a3ed4f8db1924894f
SHA512 18c3b4755f55c9a6c7cc15fc860d768dc2dd95e00879c3414cd6226207aeae19234343f2f78782dc2527ecb0479c7d1de4e62d86a6d07cb7d0fb9ace1ddc558b

C:\Users\Admin\AppData\Local\Temp\ywgK.exe

MD5 25e1703e52a37e467a882dac7f28458e
SHA1 00150acf02e0902c6a53197581384ac583fcd752
SHA256 a5ac95e044c14d451c5b3ebc8cff810713badfcd34d0c4081dd05c6cfe945cb7
SHA512 179372fc686bb407afef1b4458dedfc892923430aa84619a5626c7119d5174e126207cacdb841a40c797a74d21971155c2f7ee84cf43a892ba37b493643dc11d

C:\Users\Admin\AppData\Local\Temp\iwgc.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\iYwq.exe

MD5 f4e1adb478fcba96b602c8f843b1da2b
SHA1 bc58bb47d3ecc649b38353e4f64085e39bca1ee3
SHA256 a715ffc3e91b8f80891eccfda45eab4cb86bb7077e7d2e449ba81df7a066b322
SHA512 8ef8f46074c03823772d67d4dbfc10c697c317ca89e407b071a5d5d67f7e96fcd0d2558b7af0d24ec8b8e19568681c9816a9e25a6c52b998c074119f90c80aff

C:\Users\Admin\AppData\Local\Temp\aoIW.exe

MD5 41f669fbfd5d5b011a2daa858e7eb786
SHA1 24ecc0f17807d5fc512ad7959e2f0c1901a27e33
SHA256 46bb1241fc002b7336c14070b7fdd9302e66b843b4fd7c4feb330ad3ca374845
SHA512 98efb324d89de64fa6e37e2080782bd2cdd303517ae9608e78f7d36137fa4bd60f2e53d05a587bab3fa08384f95d7ae82aaab32e405cc74407ebf5ccda37bef5

C:\Users\Admin\AppData\Local\Temp\uEwg.exe

MD5 00f46e4adff6b05e275f272681aa5ee3
SHA1 5cd3632ac55e4dbb04fd227476fb0fb6a32e8cb9
SHA256 cd4c8db2375dbbc76d02fc8153ccaddfa71830425b131afd1fa4ff3162a83984
SHA512 ec6ceebd34afeeeae8aad2120ffa33fdcf9617f36ad67afd1f7aa0a8f2877bc60315a051fb7b019b0be94c890b0f32308c61db9c6c3a518e4de4151516ca906d

C:\Users\Admin\AppData\Local\Temp\GgEO.exe

MD5 aa62a66b63fa6b98beb7fa89a934f1a4
SHA1 b4a6c78df8af6e2a25c55d3e0746b8f807cab028
SHA256 45ce1f59a21e9d252887802479a8be038a06cb810f40595703c913580b2c3e86
SHA512 d6e1103cc70abfd1a94937d9fd3eecacea994f0c7a5682f992c42f1ffd245ea08dc9edda72708a8acefe696ea2261093ba156a4ac3f508547f31c11b76dd5771

C:\Users\Admin\AppData\Local\Temp\YosM.exe

MD5 70c0ac81a0cec726e59fb332cf79d782
SHA1 0fff55f62395cdb75ffbb4751a56d9d525879340
SHA256 c5d794f0c599383bc293ace14b4900c99f50f2bbf7975ee86cf5ae13a3dcb77d
SHA512 ce99db0bf6f5a08c0829d8eba7eca5bfe64acd48afdf018478fae500009d7d3e9390c943f1550f07cbf71de6004a345a9c1183c6a066371cd411baeb2ea58a91

C:\Users\Admin\AppData\Local\Temp\OgoU.exe

MD5 93114731f91c5f405d5ffa66618681a9
SHA1 9e560ef7cc134857b7e0873a93bfa2b61728e801
SHA256 2d7fc63daa4301da41c8821fdb3835c2894dacf63c3b11edcbe916a3b4955608
SHA512 80ff6adf83f8e9036bfc2e5973fb093818f06a73533ab92d82d954e47fa5e2b6e77697154a65ad4661c03b4b73e44ebbd20aebb6db90ff9fc1616c291a354c9f

C:\Users\Admin\AppData\Local\Temp\eEYK.exe

MD5 1e256f94c62f43f6159e1bed8ff5be33
SHA1 88ed1c8488ad8ba9110745cc2ea1a59e2c90f1cd
SHA256 e029c403e186d9ac304eee184040362eebde48cf03d4cde173ddd312c82001e6
SHA512 732f4572f935249607197239bd3adba6c67c9f92ee42053aacc1c3bf5859bd4524e7e543b86dc11b3e26b2b70d48ca536bbd2b99cdcf65560796ec0c5c001f08

memory/3668-445-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EoYa.exe

MD5 238a3e9c2668b637d13bcc74371e282a
SHA1 abeafad40134266b2111248df4178c510eca6a1b
SHA256 b1f77301e642ac1ed04b2799bf3e59b77ea4d586b0ebab90a1ed2e37cb15ba41
SHA512 da4d0cd643121046b296dff990db3993d460ee1aa879a10e39fa9092d54532d5344a559691f7eac2a6d4f8c1c076cf1ff987ab2625f1aea9e228a0a479fba114

memory/2424-462-0x0000000000400000-0x000000000046E000-memory.dmp