Malware Analysis Report

2025-03-15 08:23

Sample ID 241020-yw6glszbnn
Target ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN
SHA256 ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9ab
Tags
discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9ab

Threat Level: Known bad

The file ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence ransomware spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Renames multiple (69) files with added filename extension

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 20:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 20:09

Reported

2024-10-20 20:11

Platform

win7-20240903-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (69) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AycIIkoA\TekQgQAA.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\XoYIQsoA\gcUcgAoI.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\TekQgQAA.exe = "C:\\Users\\Admin\\AycIIkoA\\TekQgQAA.exe" C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GeUEoIwc.exe = "C:\\ProgramData\\ySIUoMgg\\GeUEoIwc.exe" C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\TekQgQAA.exe = "C:\\Users\\Admin\\AycIIkoA\\TekQgQAA.exe" C:\Users\Admin\AycIIkoA\TekQgQAA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GeUEoIwc.exe = "C:\\ProgramData\\ySIUoMgg\\GeUEoIwc.exe" C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GeUEoIwc.exe = "C:\\ProgramData\\ySIUoMgg\\GeUEoIwc.exe" C:\ProgramData\XoYIQsoA\gcUcgAoI.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AycIIkoA C:\ProgramData\XoYIQsoA\gcUcgAoI.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AycIIkoA\TekQgQAA C:\ProgramData\XoYIQsoA\gcUcgAoI.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AycIIkoA\TekQgQAA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A
N/A N/A C:\ProgramData\ySIUoMgg\GeUEoIwc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1792 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Users\Admin\AycIIkoA\TekQgQAA.exe
PID 1792 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Users\Admin\AycIIkoA\TekQgQAA.exe
PID 1792 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Users\Admin\AycIIkoA\TekQgQAA.exe
PID 1792 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Users\Admin\AycIIkoA\TekQgQAA.exe
PID 1792 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\ProgramData\ySIUoMgg\GeUEoIwc.exe
PID 1792 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\ProgramData\ySIUoMgg\GeUEoIwc.exe
PID 1792 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\ProgramData\ySIUoMgg\GeUEoIwc.exe
PID 1792 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\ProgramData\ySIUoMgg\GeUEoIwc.exe
PID 1792 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 2864 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 2864 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 2864 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 1792 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1792 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1792 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1792 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1792 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1792 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1792 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1792 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1792 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1792 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1792 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 1792 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2788 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2788 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2788 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2788 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2788 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2788 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2788 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2788 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2908 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 2908 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 2908 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 2908 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 2788 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2788 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2788 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2788 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 2788 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2972 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2972 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2972 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2708 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 3024 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 3024 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 3024 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

"C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe"

C:\Users\Admin\AycIIkoA\TekQgQAA.exe

"C:\Users\Admin\AycIIkoA\TekQgQAA.exe"

C:\ProgramData\ySIUoMgg\GeUEoIwc.exe

"C:\ProgramData\ySIUoMgg\GeUEoIwc.exe"

C:\ProgramData\XoYIQsoA\gcUcgAoI.exe

C:\ProgramData\XoYIQsoA\gcUcgAoI.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sKYEksoE.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gKUcoAQo.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\diMccgoA.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dWoYksso.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DSQIEgUo.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IuEIcAIo.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oCYEoUIc.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qAsUMsIc.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pYIgcQAc.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RuwMsEAA.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NuMAoEAQ.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nSEMMwYY.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\muEkgooM.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cIkAgEsM.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ccYwgIMg.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CoswgwUQ.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vsosIoYI.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TGsgMoEg.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pQkssoUY.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fUUsMsIc.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ueEcckMI.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iokAIMAk.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kwIssksA.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BawowsQI.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ngIcckQU.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1732264574-649449799-807988479-171574414-1188857971-157761567411451992091526512651"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "536040462-1809065144-386782917-986549392-21003963941058219821-618699235456188390"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\raEoYoEI.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19309816461443038456856881109933090291278612785-884803515-1587694863-1272585390"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gwoEQYsc.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QQIoMUEY.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sWckYQgc.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uSIgIcMs.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1942988490-1330684958-660736459-75903524439689243-178929267816662586931052300805"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zawMsUww.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vGgUAUcM.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WkgAIsQE.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1775624327-6851852762079654876-15891228914235892639474322141877490063-2028351802"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YeUIccEI.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DMcMAYAs.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zUcQowog.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fMUYYYUw.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "858801393-950629396-10467888101939339230-1385376944495075464-1244466581-1577040187"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1943264759-515577010-828028801-839058130-6929665732013035237-534754830-268407055"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oaoUUAwM.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-942284900902756125-209454097676164332762884832-1849943470-193802489244801215"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-932781927-240188819-147859230-1900448239223308087-1847464670-1453398456-1025165632"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\lQgAMUEg.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "205530347653064144797751813102466771801990814845969341-11382902311217655823"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\loUEcoAM.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-247731057-1936585606-1288285938-1185516468-1439343171-181769959741894427-262929931"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zKcMEgcU.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RQooIIcA.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-298892284-1054504412-1856832512391226722250158931-170986934982397395-1736837408"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cCwgUgEs.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1091247114-123209324411702326452105844540976149076-1665107646-2062206091741050119"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "172697437-49943526218897417251593590456-6987516092474844456240612781442231004"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IUEgEgAA.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "19680642701518421302-10992284252027172177283928911602862783-487590175279125584"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qgcEIQso.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YGgwIoIs.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\JgUggkcg.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-924014297-43991197068880373313309852772022014197690103726-1287507302-1186787831"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13209072081650382689-1837367702-1608697263-1980196242-187742484910171273041147942695"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "101787341-1386426417-1570396204-105836869756517775214757919591579716611197271831"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FgccYAcA.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1154269026-16472770711551888829-1184012632-2020549926-237893525-982631264791592967"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-597210837-1654134984-270077706155745331616605543711991322314527275659738772042"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1272441560-1451588341-249053574-341825966282144534-438222875-1116703331584384336"

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 216.58.204.78:80 google.com tcp
GB 216.58.204.78:80 google.com tcp
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp

Files

memory/1792-0-0x0000000000401000-0x0000000000856000-memory.dmp

\Users\Admin\AycIIkoA\TekQgQAA.exe

MD5 5d6464f54e50c00c0c980848319161c4
SHA1 7b4dcada4e1dde9f7f9a53f1355fd9995bb59416
SHA256 bf1a349b876f77f7e26cc3058ece9c9f3262aceb9a780e89cc1a42bacad828d3
SHA512 04aaa6d7637c7c17ec50a4205aa5bacc16a44943151fb9ee3b37a1b6f6486da5a9980c25cf8c580e37fb4778f5a69f70a45ff7f61e74e01372997a1137fd9032

C:\ProgramData\ySIUoMgg\GeUEoIwc.exe

MD5 6db382977d71085e9e39fe420efd8de8
SHA1 891af54671ca83e9032405ddb5d82898a7ae65b3
SHA256 d0d53b0fb0e8f6cb233f0486703895193fdc2749e7f6a19912039ee18c7ed8ba
SHA512 f95c880ea6a23130ed1bd0f7bdb58473a14ff611604b9b7eadb9d75bb58f01a8300690794531c49fda7ec1a6d212d4b1bade55e16ba88d1931bbf9254677d27f

memory/1740-21-0x0000000000400000-0x000000000046F000-memory.dmp

C:\ProgramData\XoYIQsoA\gcUcgAoI.exe

MD5 cf766e3cef28db5ec1a05e026fa9aedf
SHA1 a39bcbdb01fd49da18707ec971e7ed54959cb57d
SHA256 1e36fd0ada067cf365fc2e0aaba72bc16ab3bda8ac47a4102610fa4acc737396
SHA512 648129a9dfa03d0aac1c258ae2e9e66fa9430c1336a70b0ed96a8a87880b7357120fa9f3bad70c1ceb1e241bed706b5e693c7819d1978cb04bb04751e05e4372

C:\Users\Admin\AppData\Local\Temp\CagQwcUI.bat

MD5 759bacc58dd5289fdb162979e79ab6e1
SHA1 71842a21634704290f05db0d127344d32a8069a8
SHA256 5b69ab62fbef74e4a29f3eb6b85ce841b33ba6766660be3ed5d292ff38b6c09a
SHA512 c9614ec25015d625678abddf7ee562586393abbe8b3bef7ba76c1ebd69b60cc17bd6f7c7eb6e82c9745f66b9d4cb99cfa3ef6cc770fedb868e935187c41aac61

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

MD5 5bacbdba9af42150c27b1a182ba169f8
SHA1 797fdb039b9fdb9d271119376d50a4e532bd6c68
SHA256 c30cf61dee7def852eaa738aff1f63b6a1bc59de7f7599fa11ae685d46b55835
SHA512 6cdf90fdcab3434b2b6b610b2daba58b71feb8f1394c89e6c6f9c424fe9351d50660fb4fc459b52352b77fdf3573edd4f13bff51078605972e711927dfae23be

C:\Users\Admin\AppData\Local\Temp\muYskQwk.bat

MD5 5f767195f365efc2e3376382ed3c6195
SHA1 3e8420d7dcf8fb477c3b0a17990da865a7c5e1c3
SHA256 b25ae1e4fc2aff97d815d01f1f6e9a9250d86685bd0248c6f3207dc6dbf58f32
SHA512 49346f06a23bfd7b4c7b4b6646c6c0a370ea3f9c1090696a4dff080604b035c0fcce8771b6385eb8fab3ab353df7cbe1399fb3314dcb92352a865b94e8826556

C:\Users\Admin\AppData\Local\Temp\sKYEksoE.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\awUoYwwE.bat

MD5 ef213e714f62bb8d4014834b30a712ae
SHA1 ca75da9b9dd7a1af4da3eb6a51d937098d034c0a
SHA256 cb0517b3e2d42a86252dc21c70274b322a86222e4acc9963eaf97949528a7030
SHA512 679d516e0edbd46943b6131b01e7b6d2d3a8c3326c2e2d4f8858bbfde82e4e67f068286a51c2d26e186bc429e407930d58881fa89e52cf931354d565d0bcfb7d

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\yOkokMIE.bat

MD5 1266cc70b2bba7fdaca33cf82c8b2ee4
SHA1 2adc1a22c1c70a47bb2f7b881c56d514bf11429b
SHA256 d9bf2d903d83ce5ca8b46807dee055760af3bfe8f1b7f3a64493fd3d92d29ee1
SHA512 c66ad5ebe34d697ccf22c44443b445edb7a7a5ab7702d99e34435f03b442321282412ab3b3ea7e2de9c198f24094b42272feb48e0f3e9d0e228fdfb051720a75

C:\Users\Admin\AppData\Local\Temp\hIwosEow.bat

MD5 2fefbff01558ab4ff2b36ad12fb157e5
SHA1 22cf52dcad3e05cbd6eeca78172a793bf954e40a
SHA256 d25271d078280e155782285831d4c938791351bd2a8b305eaa9659c517ae7956
SHA512 773dc663304f77f60a51e30278722f8aedeea5719aad78ed303bafab5163e81ff3cdc47ddf41f17a5674d3e8b1d6dd3883f89eed08a53ebeb88ca637f2525876

memory/1792-120-0x0000000000401000-0x0000000000856000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nqMEoQwA.bat

MD5 8adf8fc623080f68d1629f356e7b241d
SHA1 9f537828c289033589f0c294bba8ebd9c80038e8
SHA256 ee3c245dab44265a4cd73c70ae286d36c7cdec6c0fc3f0409ebe98e0bbebc60b
SHA512 01a8f37a2d288a72ce952faa480df65ab7b2489c1acf6fd2981b43eb36ddebdab26a0a8f52a78fcf2ef6ca0a5cba78cf1e655c53b39909d4fc9719cef85aa78f

C:\Users\Admin\AppData\Local\Temp\qYosMUQQ.bat

MD5 f329d95c96fec0c069f7ea80056d5cc0
SHA1 f2fcd6ba9912395529f041bcc4aff5553fd30d9f
SHA256 4ccc6a139e57b005fb13ee4dfee0474c4fe6b0ea98ac47b6351e1084f4e238f6
SHA512 1357da33525dde476e8f0ce23bbd4261fabbd7a96cf050b268aa9c8742797f91b3dcace4fc35ea7f7344f7665ccd595abbe635291e6d94e9a3cc820eef95d967

C:\Users\Admin\AppData\Local\Temp\SYcMwUcQ.bat

MD5 021a68af38c9d8a743aeefc48d83ce30
SHA1 99a63daea06d77fe9b1080490b5b010308d2fdf3
SHA256 b8622e7d25f4625d201f79c93a81cbbe31c639fe5799498bec9bfc71b408165a
SHA512 016baeaab674d46de05212d55659c7af9ee7f76cbafb1bc03b993eff2b675bb47ef7949188d2a1c1e6c75b397f94294895eab22a82e4c236d337689143fb373d

C:\Users\Admin\AppData\Local\Temp\qOswYwgA.bat

MD5 0e98e8eda2714802af9bd914c52e2f75
SHA1 34c0199585f291ebb7c68bcce77d81f202645838
SHA256 882ae9ee8ea4bed2de437e4fe0301ead704ea38da8a6045fb32f73367732cc9c
SHA512 7f9408daa53410474fe3cf6072ea2c925230b6c2763944c35e7d843a6467b4ebad8bc81bd2f006bc80676c98ea2ccc6f9f90033d18acb115029a98c7fdc36e26

C:\Users\Admin\AppData\Local\Temp\jWIQYEww.bat

MD5 3f77bb41e53525953d9a87ac79a99888
SHA1 1c00d248a7e404076a37db64b5c06f61fb402b09
SHA256 922696795af9a0c587281f6618119282f1f9983c78c814fd162f4dc02aef2b0a
SHA512 1b7b2a6938b2f44ab0855fdd3de6a8f28af10d7658d93ff2e5022a4c751bbe9ed5014a4a0a7bf369405dec0c300bbf4f8fc9ab06a6faeedd9273e2e759769859

C:\Users\Admin\AppData\Local\Temp\hskMswYA.bat

MD5 2817bb0217e666d0c8273d65aeac9a59
SHA1 e9839b650717987e036c02f17cda36d170b6bfb3
SHA256 b304c83bb40f5d1fb0492fc9c3c82b3151dffcc3f47811dfb0908e74511141e2
SHA512 501740e0131f5cdaf883acba2e636f2403fd840fa202be06396c2ef038c84520c4e6fda520ab016b8c7d082fd4873492990cb5cd33608f44186196bc0c3de3f7

C:\Users\Admin\AppData\Local\Temp\LuQAYgkA.bat

MD5 42d617c4d6de46437a0d156e7a0ceec2
SHA1 dde856f83a7ae24525d2ca0260ff676a3cfd5f3d
SHA256 6de5b5770d1f658bfc6a3bbf54b6bb4366289a97b95fea8ff34ae86cc61ed544
SHA512 3405f178a924f68eb3f1368167b9f399d1cbbfd1e3631f1f15bfcffd32c74b7c3a84b1652985d2dbb930887072fffcfc9f67b1cffc61e111f212621bfbe1a4f9

C:\Users\Admin\AppData\Local\Temp\eIkUUgww.bat

MD5 20f64dfaeafd635ddee04ac98a666cc6
SHA1 7b47c7714e8f6c484ff027b03005ca51929011ac
SHA256 bda8e70c9b4bb34ae6ff7b1b8dfe0da2cbf7abbbe142eea1f6f8edc8e260581d
SHA512 e8912ed953f61b0514152a8719cd96618ca0c75d2cfd1e862d54ae37beb4a39a43fda59720427931cb67dcc00c9b49e5aa57ae4f9a73bfa74136c0b45ae38f66

C:\Users\Admin\AppData\Local\Temp\QYwUcsgY.bat

MD5 33336696090fedef9942cf7f1a2c178d
SHA1 29d028cc52bba721efa39cd4f171aa9a6679193e
SHA256 419985f5da87986e3a3a41ddf5b1af6a96b6ee7e4c1771251629a3f8bdc9f4e4
SHA512 689820129a70e986afb3cec1d1d5ee3bd6bd8e6a53eaf2e8f564a791fed27d56b916eddd6d5f11e90c4da05e320804a03dbcbfdcf0e1e331677d4908c0724777

C:\Users\Admin\AppData\Local\Temp\kkgkscII.bat

MD5 79634f695cf43add04d3223d2087a04e
SHA1 45b64fcfd40bf3a3ae82cf0f45c437198a0b605a
SHA256 f2427d523f145d2433af671b0d12e1bc6575f45587e6d4e520f281e5a6077f7e
SHA512 d3238a28aa704aa281085bef206938128f1b8f2e6aa8b812234653c9a788136cd4a25a0a0f1c596f44a9a8d95efb9fbdc3c5f18286b5508a83dba867d38e382b

C:\Users\Admin\AppData\Local\Temp\wyUoIIQY.bat

MD5 cf889ae4c26dc9bab4aa244a8a1f9e4c
SHA1 bc6ffac591192667d81152e24133672e3feb1e86
SHA256 f5954b40c0ead5b36f98d3fd8415464f69f295c0cc8c76c36d684b475f582ac5
SHA512 6424460a2039a16162cf142fbfbc2306b002d76093ed032ff69214569401cd2b03e66b47318fd629e40ff736ab8ee75d26abf97c578a6b3570be0e13ee80549e

C:\Users\Admin\AppData\Local\Temp\BEYEkgYc.bat

MD5 c56f115188e36ed2974942c2d9ee19f8
SHA1 6e6ed2c756b3cdd3058eec9f543b80e4fbbdbe19
SHA256 e2b027cce640d3a93ad918f9563fb2a22ec9498fb8a12ab74cd09bed50335492
SHA512 44c380dcac576c29ee80c0830c15137a4b3ce5b06928e71ea8618fdc5aebcc6b8ae849e17d20049f6f0f872a15172c41a1391157126a80d9a0677a425e705a76

C:\Users\Admin\AppData\Local\Temp\fSwggoYM.bat

MD5 c0fe2575646278056399058ce13027c5
SHA1 2368855b70778ff2d8f41ad996b17cbf0d8ca913
SHA256 b197f9243ab5bc1d06b9f93cc06b2e8a969fe6acc593c2ca3e4f6c00a0a8f1b6
SHA512 7a375c50a8364c39709716cd4314f599d516b0cafecf723147320666b7aef6729481892ef97ce4a9eed25e6ff4d634e81e3b2e75489c194c45b6a3beb64b7a81

C:\Users\Admin\AppData\Local\Temp\nQkswoUE.bat

MD5 9832715e47f276b84862a5a98efad089
SHA1 690c925f96f894be2b13048079a137525bc6dd42
SHA256 edfc23dc4a5c6cb84660549dfa053853deeec289f5da55d5cffe2e9c5efd1b3b
SHA512 c6512c0b6f4f663881296917feae29d3e83be6297b9d6d210c388c16af48a408934305b5cebef091492b8040c6aab6d22b00c0934f5d7a391a22f878aa6fcc11

C:\Users\Admin\AppData\Local\Temp\tSUsUgos.bat

MD5 0595678784ddcbf8ed6cab7f4f3d7d13
SHA1 bfc426c586a534b0f2d4808c1438580983f4ad77
SHA256 37e0e83a3092c134ce44e8d47958bd686d17383bab8357fd07d1b7711c0b081f
SHA512 a9a58a1076e35c1935bbdb48841a1911334707d70e1ca5a4f702291d5ea622edac57d1a68b8fd67e94cd64416633e82740467da49abeeaff2ec022ced253086b

C:\Users\Admin\AppData\Local\Temp\iaokYEUI.bat

MD5 74bf23d1565c0eef7fdd19a7ef411c77
SHA1 68bc88b4c0a06c733821a1a06fa4a09e84a4b12d
SHA256 b477a140fd171f051f0b183e10352185729f6eda18a190e620a313642e9098fc
SHA512 d3abf567ccba2b74a924e7f2cfbb3ab6b683d8edea9c573645a0250d62d7c117b1a27123a54bb0b6e7b0f6464467eaf9c3efe96afef4b5160ea680f1ae532a05

C:\Users\Admin\AppData\Local\Temp\QIEw.exe

MD5 9c87e93d8ed97740463ccc6eb9ebee03
SHA1 ebc5e26b36b2cd34244bd9dd4e0a18e897702f61
SHA256 2b359f04d98d92cefb6945121a1d3437e25c9375561e1420642ab43e89e2eff0
SHA512 a3bae7c2af0b0678e3e14d313958ffd636a966abc39d0bea2d139b32c31e332f01fd1bf8df9f0c15c8a70356e4771e608ce4596a117c514da2e83b3792d32ee2

C:\Users\Admin\AppData\Local\Temp\qcMY.exe

MD5 0cbdeabd4ed8bf47625f2a47ea58438e
SHA1 2f6f002ceb0939c051ea0063b06b5baa744041b3
SHA256 ca7ce74b721aec52c3a62fc1a4da93950598c055d663f49e3baed28f0cb4992b
SHA512 27eb7b7ac74687ae316b23476ce83bb39fc9595e5f96663d4a85165f33f78f3ff990e354eb0b50a74a4f3ae143999ab85646a77e415dd42760eb54ce751d1cba

C:\Users\Admin\AppData\Local\Temp\OgcO.exe

MD5 73b628f124878502c0bbdb299e341614
SHA1 7abc77cf84e9b5db3bc2705e42b7291e5ee47fe6
SHA256 c5578623f9cadddfe139c3df2b9f1c0f5526e8fca64f4f6ef31c1a78aaf5f965
SHA512 72e8586e2873a7e4bf3e4739bb971add9da7a343a3a0a55be20ae9c373582ab1b20ba63b27ce2c7577a9ab88126fe9095d17b02d79e03c64ca1d5d6face038d2

C:\Users\Admin\AppData\Local\Temp\KAkU.exe

MD5 6fed6237cd12e0642a2f64c24b56b230
SHA1 044d9509042566dd3d6a303bbe062f0e78a34812
SHA256 602636953ea071b5766837b6e7297c703a548e2962a4e1e6bebf2a8f4b172efd
SHA512 3ccfcd30f53eff12b1a0bc57a0278084908a73589b80d06229d6d7ee14366e2f51ce12ffdbb0c1af27a33ad422a21bba4a5dc151b02789d5fa9871e8eeac7b83

C:\Users\Admin\AppData\Local\Temp\ESgkckcQ.bat

MD5 68048b19c44614c689103093bf64a0e9
SHA1 9ad4f02cfc4488a0d061a2ca49fdc4ac4e066855
SHA256 01675929f77faa2d0a0ffab3e0cb16faec7ec2c9362511f253db831eb9f0c17b
SHA512 3eb5dfabe182e9d3f9727729d398cde963c591971634c4dd661f08e9c47a36438d451244bd883865a1fe133bb6992fc84e4c1185d6837bde502055d00a0fb9b1

C:\Users\Admin\AppData\Local\Temp\ggUE.exe

MD5 9027bf1ba64b85250b0a16fd96e2f084
SHA1 6c6c55ce03055ed0c513d81113625f05ce388aec
SHA256 363ed26f25f350dcbdb31eb00bc1c2c0a29bb8055f583a9fc6bb7d7b7a919a17
SHA512 1014d7042e0067a8216017758dcf7d043fd20ab0c5cebb2384ca0520acb2f6e02b735f87dd564870b8238b905e8f6633b823fcce84f438092f7bd77567cda26e

C:\Users\Admin\AppData\Local\Temp\qAIE.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\Users\Admin\AppData\Local\Temp\wMsC.exe

MD5 7171ef5a22dedab1e7e409195e74589d
SHA1 78158f7536d764ccffae9b4ad10c53ab5f31399a
SHA256 aed75c9db4490077165ad98ebfdb0fe0e29251db1fa65d87771b9a3916a0ae8e
SHA512 46eeef5ab45623a7673d3744b9cfc62430dbe5bc2eb68bf913b93700ada5a49e8939a65cbfa47755b2fc981d5e23f952ca9d3aba1eae808168403a767d687ce8

C:\Users\Admin\AppData\Local\Temp\OQYw.exe

MD5 625fd579deb07388e1ffdcdcf46d7662
SHA1 489e1f5d695a2ed2503b3f6d2acef36ea50ade3c
SHA256 6b66c884277a53706742f2cd8334bca928a1974457e08e8986b4676987a46669
SHA512 6a083a9dc6fcca1f15bd1e3f55243784885f4559b006c0bc137ab159f5c9bab2a8673a2a849a18040aecf9422736dedf977f0edc2a3ffd9f24087e3ab7fb9a8f

C:\Users\Admin\AppData\Local\Temp\OoIy.exe

MD5 6fc9f5df4031e825a7f3cbbe9fa2f306
SHA1 f1dd17d8afe0fcbe9c9d5b4f8979237ea7101c8b
SHA256 43abb1d66ef30412d040b18650dadf9766509e2abd3f9da63a6e28afc1382424
SHA512 d4034b0707d57e7551288f9e215d710785d65c0fad66238a927056a5b9c7579b5615d51962b23a2749ba68169b26363cb7c6639a2533439192a903ee846fada0

C:\Users\Admin\AppData\Local\Temp\IMYG.exe

MD5 2def00fe25bbfd6396eb08d78e6acb00
SHA1 2812b43e78bb4dfee2a70e656c0b1bf3df586d01
SHA256 8f693b4671b86eb83cc0caf0c215f4d00dd714e7a230ce419a7d4b2c3eaa9862
SHA512 227ebe6efb2a425261130411a033d5fa99803fd964e5de7761ffe4822e604e20e2a9ab5407d112e8b075f8fca1c01e50c4c2efc9647e251f5671fa1c34781d1f

C:\Users\Admin\AppData\Local\Temp\qUsE.exe

MD5 a815a99fcf1b8a20cba2bb55d2683dcf
SHA1 5cf0701100c68127609070fde6a0915343345195
SHA256 c9da4ffc732d9c2151b8e85ddeebd84e77400b578a0f985c91fe95233bd44910
SHA512 e9009b113c8ceb5d8bf628dd543c6d47a7cd28ad3a81dba1f511eed27bd527c524b9cf0c0ee112ea475fedbb51d7e7ee11f66e89fa207403c8ee899a19ad729c

C:\Users\Admin\AppData\Local\Temp\iAMw.exe

MD5 fc4b59927ceef7eaa67defc6fd4fb38a
SHA1 37bbb20b5984c4f436f99fae5ead421f2abbe5b5
SHA256 bded823f82323cb259f7fa593b077cfc3ecfb8031dd345c53a995b063a23262f
SHA512 fd1a45711191af1bdd875210fd46c0bbf3fe941edabfaf86ded8b44fcdb6227f69d6ec5cf4ca1e2619b00d30d993eeda8ff04f5b19ebc686d35c176a8bda09ad

C:\Users\Admin\AppData\Local\Temp\WkEw.exe

MD5 0347a170f118545cf4f0cacedb1d92d0
SHA1 24b6c8d774841f8dd43cd90b7aa59ff084147f1a
SHA256 7ca94def2e0428a7c98e52109adf56b6b5cec87b8cdc0cc330025e9155d15a01
SHA512 520b9a962bd3f0ddccfab4b5256f9e180d9189d60e3dbd3d375b258aa1ca986db92c9ed64e3352b0396cf2bdb4152d0024f9b3791488d96857623ba9244244ad

C:\Users\Admin\AppData\Local\Temp\KowS.exe

MD5 d4b28fd537b1501dc3dc9853721ed7eb
SHA1 966d32326c53f2905c4ce8ba08f128bf20c30b4f
SHA256 9164f3e46a1dabc24d14b4812e0a1455fb8066cb363ca345d1bd558df4d2f7e9
SHA512 b99ca709d9631f557474cc985b3b8efafa9714ff88533329e7a9452f9c0e14088ad31d1e1f5507ea69cea9aa0e16ccd8fcfd1b769daf39805c79283bfc067664

C:\Users\Admin\AppData\Local\Temp\gYYo.exe

MD5 cb6e74c3fdabf939102f8a9f9bc9c42e
SHA1 d0798e2d49f64660447b6a23e34440015a194011
SHA256 8c4c77f8cbce02ad62e55db663ba62da94fccd045fcdbfa87af7b52d03edc479
SHA512 152ecc443b23233ee2ed2cdf6502e92f3dfdaf1210a8103f34f4ad067a77b8350bbaaccefd74ce415ed61ed2dd8d5ef27ec9532db7e0516fb86612662b552d2e

C:\Users\Admin\AppData\Local\Temp\cUsy.exe

MD5 38f4e088d46b10601df4e2326917a36f
SHA1 2e68e8b63e068ce1815a4fd434e97ddeab7e3e3e
SHA256 75e3e545cc1c76ffce2c4c060def9a8dd61ff4464cc6a98725d99aa0862657d7
SHA512 2b4cfb62dd65d279042ebcf2a876d81e515b70514425b8687c0d853e8a41e697185eb2aa72b6531447eb929e1d22b6bd337fd72a2d594e83ff650511842afce3

C:\Users\Admin\AppData\Local\Temp\KiAUEQQw.bat

MD5 c7dd4b5b4e4389de547e53937495f71d
SHA1 01bdffd1319abe6db9974939d7d6926688c0420f
SHA256 c04841127e4673efe11b6fdae38ac97495a9a7c3a9bcb5e762bf50444dd7396a
SHA512 6a371533efaa26329f537dbce69a27f462cd55187df9016fc572c16ff2bc0684a98f4b3e780287cd9fbbf3c9c2caf09592163c7bc4e7131e5d18eb02ef6f3f02

C:\Users\Admin\AppData\Local\Temp\EUwA.exe

MD5 61f6c4f8f9081810e5fd17145549b796
SHA1 314189fb065bf6da9f76285f1b50197f90bcf5b9
SHA256 cda3d4153f96eca938eeccd2ed225d7692cadccf71fbdf06e2bddbe41a8d65b5
SHA512 a8ad44502c3268fefb6d69ef8d1aaab4ac4b99e3fbbcd7129feb073b405ba060135fa4b464e4c17716d7641eb208d0c270723be1e02844ba6af47293d83e72e8

C:\Users\Admin\AppData\Local\Temp\yogo.exe

MD5 573fc1714640cfaaf51160861763b48c
SHA1 9521d52b4150757c04ab1791d393c68929df375a
SHA256 b8c8078342880c8278f64f21c815702a80ff54b341495750f2595a0166a89097
SHA512 7302e015dfa723bfe2bfb7ea558294650686ee5c60076d524acbae1e1957de2e4c469e278cdfb681505cca0a05b6c6fef8df9b350276bee2a9578bd54104f49f

C:\Users\Admin\AppData\Local\Temp\Ywge.exe

MD5 775880a245f61cb9c971be7779671e40
SHA1 3a9619b07f14527b22f55642c36a228afa6ac91f
SHA256 006f62508834941e3121df54add3c2b0bf2acac1d08a4d8527516be565c1c383
SHA512 accf003f04b65b1633698318983baffce022e9100d866f86ad5d553ea301cd64d5310f846100cbf88d1b69da75af5b6ed5bea11546269b91566770b9981e4307

C:\Users\Admin\AppData\Local\Temp\owYq.exe

MD5 891deeaf942d661d5ebc67a9a7ac1bb0
SHA1 b20dfd7a76472896341d1b2c6b4bb2b0f1b957c9
SHA256 653a2e53f76c5ddc3b1b00834204bfa5214ac068301650458636a382dab5d664
SHA512 95d8f0142236658f83f5fde0681dd6a7f8af9762a78a476f3395dee69fab107e61c55c87a3e10ea7d359a3736ee20332f60e5bedb93d296b1f1903a410da51a1

C:\Users\Admin\AppData\Local\Temp\eIEu.exe

MD5 69aff24e6de996de077ea297a48cc055
SHA1 94ccdef37347c4f4ebd48b9963d7decd31701f60
SHA256 1ae717ceedf4624300bf4711ae1ba5beeeedd3df37fcbfb6e1364cc15328cbbf
SHA512 e50d28e829d1bc3e24d21c32cb1807bc29cadee54f48c80c753cc844882a2863549a64f9e3fe7851ad729d7b1f5912f04cf53a8eb049a321deb6172de7ea2bb0

C:\Users\Admin\AppData\Local\Temp\CkEO.exe

MD5 eea031fca802b27e6a8b7443e956a00e
SHA1 323d0a1e646a2cea8d52aa62aff8579e449d15a6
SHA256 3d9062edbd630c680762ecf942eb083de2c275123043c2f64407da64e76a0c65
SHA512 b05d2420b6ab0e98ed85df99f64415e84db1fc37e6e28c735a418903df7662a36cc57113a24d4f98bd68b92aeee4c0ab39e85495a0da1933d1615bdf703a91a4

C:\Users\Admin\AppData\Local\Temp\KQEi.exe

MD5 85791de5396d9e611d264819cf500e50
SHA1 fd6edaccc794ade6acfd7f00f0bc46b06f137f24
SHA256 845045c1dfe62ed6bd8f3f35d08b1b76be1ec09a5daf9449dbe90710bc013c82
SHA512 fe95f951755fd5e8f2a794ca578beff1509a80b2ec50ba7bef879b8f674b99687928c692efb3a16781a357036949990ecc7f6c739f414b58544ca0b47abc4718

C:\Users\Admin\AppData\Local\Temp\uAkm.exe

MD5 30f7d0c3ae802251cdc5b39e09ba5f5a
SHA1 4e308c5abe4671a1f4e5d1f8f8ade34f11686682
SHA256 95ff11cdc73c761e2cc215c902b988dca2bc55b8eca82bb3eb93a5d90f1687da
SHA512 4c7662b40f444f5057ff51d1540aaff4180f23da150d79fa1a33e9390d569b349b5a303ce8909c1822d35b2a3b17a389fa72e78196d9283834821370a3d81d75

C:\Users\Admin\AppData\Local\Temp\kIkI.exe

MD5 823447b79d5a2650f4bf39ebe8e2b84d
SHA1 b7d926adfdd67548aae6b4803617d583a691906b
SHA256 df084a172f2417cfb31136b053553c4dc3a8ca03a53e02ffcf7175df99decada
SHA512 0d86248f1ea9d064e9c950422e8cabc3e0c0021b9df71745e294d45ce787c985b5152ddd8626ca377a64ca3462685e22bfb0fdfe332589a5fa341546192a9f1d

C:\Users\Admin\AppData\Local\Temp\AUwe.exe

MD5 619bc43628f80fc4799f4be1b0508272
SHA1 86937b0d148f0e6a60ea7dcc14c6ba1eebad56b6
SHA256 5145f8334b632edb5062debafbfdedd0b08211f0eb142a426bde15e8cce30b8f
SHA512 202f77843576a5bd39ae6c402dbc71c3d069f1b1b56e14eeec8dd9c72e0a37c673c567ae378d32fcc377095e336a959b3d1c251b22a8cadb1c04f9ae0fdac7d2

C:\Users\Admin\AppData\Local\Temp\QcgE.exe

MD5 4bb8390acf2d17999844530f5abbf1fc
SHA1 93d76119944450baa959a25c242b3d04a02906d3
SHA256 420fba242ae1eec5e41b07ea195f88210847b182d9d0de8b745bc633d1cbbf7a
SHA512 1255c434d274eb989db1a6301399d19fac502ac97b7fd12cc9b11ae805e00e209afb8a995a370f909bf6c5c646091974a611b45744afb98fa8c3391c1af39377

C:\Users\Admin\AppData\Local\Temp\Aswi.exe

MD5 9b7f481373f73d55dc03a26c38d500c0
SHA1 d4b1fd636895e3c2093907bce49045e50b9f3500
SHA256 b4e7693f52cb2e58468682c9c0385be8407ac91a432a06f9cf5c565029c6f4c8
SHA512 9369667051df1299d1a040ded14e89a86c4409c9a339bc5fa76630532493b026eb3c364148892a1abf14e1ac12be1cadd437892c3a646f67a97251e3ae6b11e3

C:\Users\Admin\AppData\Local\Temp\vKosoosY.bat

MD5 016680d9e5d5da28a15c0f482e63baf0
SHA1 305dd069d1b08dc897ed48ad2ae4f4672089bc63
SHA256 d12a753419f82c5b4c566210538523d22331e82746c73f6b4aa868164f07b2f3
SHA512 6c6658920b80c0483174ac5a5cec62860aee4fdababcb57ffbbd247338e392682d202545f1927c71eb99b124a4cd0f4a36c182093452c6141a6ddcea564e98bf

C:\Users\Admin\AppData\Local\Temp\OMQw.exe

MD5 6d99935e8f0b428218cc1f709bdc5c73
SHA1 a74863fd16a8c50fcf36273a2dbc7c66ce1f4173
SHA256 ee9ac12d632ffc54175e936ea916ebbcb4630d1c2bdfbdd6df1201d26940953b
SHA512 96fd4d031e182b09cd7aaa757dcb8538aa554f03de8095699581ac6eb65d7106edcf7633932dd7fa808b283c0c5967c5de127e4551aee72acc8ab7c18a5f7074

C:\Users\Admin\AppData\Local\Temp\ioAA.exe

MD5 dd2713f373a6d52d490d545eadd2d1b1
SHA1 4dc33394a7b475fde6333ee3b82253b3fdf79a32
SHA256 099ecfec9461835204532612b62e335e52dfa7b9265f378c7679f6304baf7e03
SHA512 5d8c282febb01f596e037ad1ee4f90a1360802e0528dbb10c092f12dbafcefadbd960014c29bfc58df3038808ecf5c4dd4ba82e740d39282a44fbf780d2fb9bd

C:\Users\Admin\AppData\Local\Temp\McQq.exe

MD5 7835fed3c4ff5c607fab8eeed4575072
SHA1 755251c853253cf653bb626219df4b1f7fc7f9ae
SHA256 1f2e0298169f51d2c10ee4ba32498a556fce596b2f25534d2d2152d183802d49
SHA512 19f43c430db561463499ffca12fdfa311a2ff994419ebed60821c81c87cec6bbf0a861ffc2a12903c5b126979b261d8baad585977ab3ae6824d4ea01310079fd

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.exe

MD5 67449c58d6f87446bc937dc5d1f64f49
SHA1 15c58430307b07798556cda2c218ee6f5fcd9eb6
SHA256 ed276b13337ebbd9f8f6d79047f14e2c09a7604798646b238d90c0883304fb90
SHA512 951c7b595e8ef54c1cf34ebbed6244ef6310deb226261591dee2f7770d750009f8cb00a6a3780f3d5618341fda23375d35cd0d483c1cc8b50531941a33cc6909

C:\Users\Admin\AppData\Local\Temp\YQIg.exe

MD5 a57e73629ff5c1287121a98b4dae00ae
SHA1 1d9301e7312365a84e2106f72dfaac1686439a0b
SHA256 d66d0c69415b34c928d8842aeafb7eca2bfda1d10ac6167778bb959be3cafcd4
SHA512 761dfc19c8974498586fa9ba98c74c6dc3c7932d8cdddad3853251b0e6bae1fbbc3b26e041ca8951d22d1fc9fb33877e61e1c65e8092689edea3ddb767dd0ea0

C:\Users\Admin\AppData\Local\Temp\iwQs.exe

MD5 92e3dd6c93f6ff02c960fb2151ff3d21
SHA1 546f4337afd7331642b079bc2209f146edc06410
SHA256 570b64c21e41a57190ff022b5744416bf820b455f20b07348f05b5a3d8839497
SHA512 11fa3576441479591b25a1d49a8412961b242fc9498a9a83f7c306174524dc7460448f1f752703b73201d648e35a05cc7eb095d7e2712f47e7f2314d05ec1812

C:\Users\Admin\AppData\Local\Temp\ZSMMcQIY.bat

MD5 d9f6dd4ab26ea867b5370ab210cf8e5b
SHA1 b70ad8413a6153a6730583ec3a9eb8b1263f85cb
SHA256 dccc62d432d4c633ea7fde99180db878674c9b2c4be232dce8e5284f7a0f12d3
SHA512 8d8f82b54c4271b8af77fad5172f7886bb03b042d515be14aa9c24b3834f1edad11875e9d20559321bc9d0d1fe43484e4094df6fe6460ab982ad2c1af6f64490

C:\Users\Admin\AppData\Local\Temp\QQcM.exe

MD5 1e81d61e444d4f77446a3fab1ce2c0af
SHA1 1bb78f4d49afbfb992a1586d0049ee02c6341869
SHA256 7ef6317efd75940bf53cbcb526a4a46b0cdb72195550a6d2ac3eda18fdaa1f84
SHA512 a060ce5cfda11e1d7491c3e24a0500a17ac59a506e4b568b525f91d7c9869214f900818b245771d95d52d5e557bffc0c3ac63e54c0ab4bd61976e7aea61c358a

C:\Users\Admin\AppData\Local\Temp\osss.exe

MD5 3ba21986c773259a93f68b1ab63f2a29
SHA1 639c418b80e9273c50b5c7215eae0a9fedddcf30
SHA256 b202a5a5a44029d85ebba5319aa0eba83bc844e50aa0858f065122a1bb842ce1
SHA512 6f7771a841a80b9cd3e326d018029a2817c41319733dc895e45417eb053f45a3bb8c0baa690d39d5b48092f41f6a21ae07c34ba73c3fd013c8e8a59245c8d61d

C:\Users\Admin\AppData\Local\Temp\MQci.exe

MD5 a371757871f7940ea5d376a0a7843870
SHA1 afb62113798a6e06afbcd1ffc2d6b5a4d09bbc0d
SHA256 8ed49574671b95bec7ca2af734be65845d54d5ca46f7306dc230c99e1b6a312b
SHA512 2cb9191f750c59c07b0afc6acbc223d81ff655d0f312dd3ba14b7676e27c28f060774943360e76d962236656ceeed0ad8792f79baf352cdeecd721ee858c12aa

C:\Users\Admin\AppData\Local\Temp\IIMu.exe

MD5 58000b0a7f6b787f32fa5212d5bb503c
SHA1 1161ba1a42046da11fbffb7210fa3e52dc0e3209
SHA256 3cadef3d5d0514b90e9476506fefd08a8055dea87d3a068e650110279297721f
SHA512 cbc62118bc6cf3fac12ebbab3af43ebff67f8e15a1546cfcd57e6c389ecaf1dffcc73062bf42dc5a0c0d7b0a46c5618b24f639f4f590d28f5c22042ff3cd5d24

C:\Users\Admin\AppData\Local\Temp\QUYG.exe

MD5 99c22c9c7ea94a2c73e49925894e3866
SHA1 e1e0329cb24aa740efd8aa49b618730a626d74ae
SHA256 367152f5af458481731d1f844fceef7c2a67764eab5c84c50560a16b10dee5a2
SHA512 08332b4d3a9f598d4e3253c4db57d8541cb2fdb3dceca2e7d80577b4bb707e85ff6a29d59af612a8bd92023837586c965343f5e595e4327b8eaf468c50077137

C:\Users\Admin\AppData\Local\Temp\okAm.exe

MD5 87b7c682c729b34b51efc4664c6654b5
SHA1 c9174f217f58b328e00db32ccc2aa9085429322d
SHA256 0a6ee830c3c09b656472e8f75cda515033fdbd461f9b29b631e58788d1a3443c
SHA512 a67aeac45c18b4c770995fb2ad40d78e36483984857eec554bdb3755ac29b78abc9c68d7b5084833042d359cec88d0987132554e47dd78f665acb768cbdbab20

C:\Users\Admin\AppData\Local\Temp\WoQi.exe

MD5 6639102ee87b62a09fc515068bc242c1
SHA1 d5f9f0a228cf798bf363e5ecc74a385b1267d103
SHA256 4b5f29b199c17bdb475a7576bb385fb907848fc754774f46af16820eab23fe56
SHA512 d2f471fd39aa90466c7effe0c3785ff0fab1b7068703ad0dac444ee5680e266098097b2d7f2aa27f71e6b2e05672f7cc1544e93a71a29ea4043a6e1c4545355a

C:\Users\Admin\AppData\Local\Temp\YkgM.exe

MD5 e23cd25cdea254832d4fbe15b6bfa7a5
SHA1 fef4b33b570f3284fdd7b87f87908993205c146f
SHA256 f3e4dcfd4682b7b30ab8ecf4c947bee0943d46b5322df0cbb4da6d455424d8d1
SHA512 213f39977ea85cdff7aa03a626850e08f13408b7d3971cc5d7bcb2ce6ed2f38f305fff365af9efe1ff880da79580fe363cde6e032aa053e8bee24e73b242ce0a

C:\Users\Admin\AppData\Local\Temp\kAwu.exe

MD5 184af835a2bb35b507bf4b28266f199c
SHA1 5eb6758c6eaa53a050308e9a4159171150ecb00a
SHA256 de496060d7b1ea6c312d81727a17d0cbb2961c3bccf76d72d666c350673be547
SHA512 60c7a34dc82c9e013c20f0e491408ea0f37c56abf8604255e8a8174befac86ca363a9920feb582e9ac6a120372c61c0c77510ced61acb025db3f3d0df7ada78c

C:\Users\Admin\AppData\Local\Temp\ecIC.exe

MD5 4bc87ae037cfe6cbe90bf179a2d1ed64
SHA1 c3c366cd88600feff9d241035f3cb79b4b44584e
SHA256 4cd48dd8e7e72c3e8b6f475c72f9f7d0107939550ebc1f0a49cc2d4bd81399af
SHA512 b60ee3eb89a81d8d8d191e6bf8726e077b0b1a0ce21afec3a8ca098c36771bd60d0f7956a8b9d0bd031d67b0b42f096ca63539d978a2751088a7bc8b2d5ee071

C:\Users\Admin\AppData\Local\Temp\NyowMUYg.bat

MD5 3f66177fb8900f74143037e1731af5aa
SHA1 0c48f210c10c28d87398b5c6b09fefce4ce9b65a
SHA256 7e15567aa54e25b1d2ae56ce359a12dae46a1b60f50e421377007d560113fa0a
SHA512 40474ce10878018933a17423988c9559fe3c54398f9d235951bbcd0eab12efa7bd5b258be2c2be9c3c8e0e5caa32c65474ff96fe4c0e834a04f0be4a735792ac

C:\Users\Admin\AppData\Local\Temp\kYEE.exe

MD5 b1a78625bc5bf9fd543531d400519494
SHA1 5a1f929ad10a2f2a6ffa4d3e2cd71172ecd983df
SHA256 45989d4df37c1b7b2498d95b2d79c923c67d5b5fd7283dd08f41570308293f5d
SHA512 46634b54a3c8a0adfc3cb797dd62311081eaefa32786cd6ff844e838d56dab3c6e31826bbed94c4006d55ffc8d5db06db081ad30ef586868c4b7a350a6f01215

C:\Users\Admin\AppData\Local\Temp\EEso.exe

MD5 22896007e6245404492f62eb0e6cd17d
SHA1 2e02f0ad5583864d9048fe44bb9815a4535f07b5
SHA256 1919240d5046e97354118bd87ff8385bbbab7fd3fae5f88553819ffeddb48fb6
SHA512 184b95732bc8833f81d9173c8f46d7f8017a767901038835dabbce4cd2cc00da91148d1f1a7f0fb2381dbc09ae5549f345336dd4ebc6f3c3ce44e982e9ece313

C:\Users\Admin\AppData\Local\Temp\Kcoy.exe

MD5 7ff472926467e761afdc3d9165716f10
SHA1 279c48a2ab1054af9cbb53ba4e50361f5eb79682
SHA256 4d0427528be4b6a91756cfadaa1ff107559c4f94bc54d8793d2981793167f71a
SHA512 64e0e3135b554fce280dfb272ed6ecd45351348faca00a0c47d09004b552efd9be54dcfe4183d7a9fdcd1b0dbda16277d070fdabafb2d25b553bf56cf2c21005

C:\Users\Admin\AppData\Local\Temp\KUoq.exe

MD5 13f7fbd850f46a1dd3375ed27df189fc
SHA1 c092dc111e0b60a17923c573eef8bcb9468f81ee
SHA256 f86fc27aeca4a9ff8004ce2cfc3c32e69d222812705c4b6d152d5af820ba8281
SHA512 08f2adc8d98fe3f6840a1c1efdd467bc8133bc4d053bea57e609091b050b1631153acb13d15d3e6518dfdab82439a671f590802b8fe2265ebcca48c9c5579e9d

C:\Users\Admin\AppData\Local\Temp\gIAs.exe

MD5 6fe129b27bb9e60fd388098dbbbd3c93
SHA1 b1987381c4a70ece81f4cf3e189d7d1df1a709b0
SHA256 6d47b0558f8b1c98df107f13927a496e741145b64ddac26d26344cdd2d25e518
SHA512 b41d68ff1e6329f00d5065a16cb0c0e411563c60161f2b8cf77f6b7d4c3c817dec2ba120bdcf64fb4d75cda3fdaed3a071a84345b3c5d03be1ae5f0d03f77ed6

C:\Users\Admin\AppData\Local\Temp\ioQu.exe

MD5 6b0c1b3a42c675e2aa5542b26d1d4362
SHA1 7a37c93745438c88f2c9743cc7b5fa4863e0fadc
SHA256 c5cbe4f454725a9d06edafea6f0d2f9e22a781410146342a087de87ac02984ea
SHA512 8be012f3389b9f3f93c4f9755e2979bd688e159c0ab629c2598ff69d920c82da3f4bb867eecf6d98f1bdc8593c54a1ea62665f11a8cd60c3001fb1c7ea2b6b68

C:\Users\Admin\AppData\Local\Temp\cmMwUUgw.bat

MD5 5f38a39f524fc13be146e97c3d39c671
SHA1 faa4cec8719603a9fae60e1e494e6807bcd6319d
SHA256 eb914e508efdc8613f1b95d0c8528edf02125d03e40173aa1166bfd7bca96606
SHA512 0eee79aba72d5d4667c566b12c830921b5b44d92270e574676f23bfb11316987a2fc9a67a49b58de236941fe970332bca0d95f2286f0f3f682472f0beb416061

C:\Users\Admin\AppData\Local\Temp\KGwQ.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\gAkC.exe

MD5 0d2eaa2657bb3d95756ea0e9a038a0c3
SHA1 2fbd78f57f32768b9ffd2764f1c3045963bbd151
SHA256 791fe2a16e35cb959ed8cdfae417db028d70ba31ded57de7862b4b04a1255770
SHA512 77ba6a95fed35bacd3329f6b3f84c10c279b29302b835a76f08909286359491ddc4255176b3ab1358d4342cc83476d5fda968441a25fbce6e16559caa7395c63

C:\Users\Admin\AppData\Local\Temp\eAYO.exe

MD5 5d7f07645f7ac6fca7b28f47b67730e4
SHA1 9f79fabed5ca409ee4baf7ffdc790e92bd8bc200
SHA256 276e8d1f793fd7bbb5ad57c9318314b66eec52fdb993995f70e49e09d74c6e64
SHA512 49dc6adcc482e9014b20a896764fd4efc20d3e76957f17971dbfe1c769b6cf8e237f2ddb4f4b250042e55be763f9db1c0a1cdf32f1b8ecda3c1f4baf1bb55111

C:\Users\Admin\AppData\Local\Temp\KwIs.exe

MD5 4a2e5e35e866e2714e8df94a5fd806be
SHA1 ffd54fa1bc30d3357a1b003d42ab8ddf16a16c66
SHA256 d359c787f97a193269a1a1d5031556d34502f1b427e189a96e4b5a5581f512fe
SHA512 334238bdd17b7f97bf5c6af56f9e151ae19e703a19add2af2b4a96594b4f63e397911e967d0abaa2efc5cd0efa1da220c0f4781704b7e53554dbd5927a13f3c6

C:\Users\Admin\AppData\Local\Temp\yYUA.exe

MD5 c4406b9c9fcecbe3deea2653446cd938
SHA1 541ffe65e0854ad43e67a3db90e15beccc11ae1a
SHA256 afc7733234cc964dd4b6149e10f44a737cba551f7369d1e88008566bdaecaa6a
SHA512 f3182f8c0d9ec06c2dbbff5a7440fea925364eadfa99f64fdc2a08df1fc250625c0f20285e906043d216db0368be0d1661d919f66f7f23e4ad9bb5f77aa9bb17

C:\Users\Admin\AppData\Local\Temp\OYQokEYc.bat

MD5 e238e741a2ec2d0081e4ad075e7f7585
SHA1 679fe8161dbb083c9b7f7888cccefb78f44739c4
SHA256 7a0a132a41722d83dbe602b06cdf850aeba23d388898ff8e03889bdb3d0ade0f
SHA512 27d4d9ca6b16a6b82c2f26dc7036fe8db9af5ce68b2cdd087b5873e1686e9e330c44e780fc325159216bf536ad681de7ba9a105d09766e6a38c454199935a48d

C:\Users\Admin\AppData\Local\Temp\owoi.exe

MD5 088df904dcf245ff5fa849c0f5e2dab9
SHA1 7c924868ef6563dab8211bd0e0a8d98c00cf84a4
SHA256 140ced8b598975a3d5a3b9ca6b0e451799042bc3741b525296b63905351c868a
SHA512 a8c0e85b28664096f1d7bfa7008df84c9965376242dbc4894eb1cc6f0277a6dec7ee9c1460e4a87ea39d49a684fcc9a5510ba6dc02600df1fd36f3eba8d60072

C:\Users\Admin\AppData\Local\Temp\sUcO.exe

MD5 481128f58475b3c5678fbdaf9183edca
SHA1 9d37fd3896842b3f51af973cb76c92b30dbb6aa8
SHA256 aa46a674bf90f73046e3f573423003a6ceb13cf2c51857d3d09b10b2fc9c3eb6
SHA512 d98a7937ddc185f6d05d7446aec2fc4ad7dbf1e479c4998503abb41589ff5503c6aedc62b9be318cdddaf1a94fd3e82d3de1be33b3392a6a4bc5c72e7a628ec0

C:\Users\Admin\AppData\Local\Temp\EYYC.exe

MD5 c3129a4025f3afa40c1d4d1f91daac66
SHA1 ebfa34acaaccf5a9b058a5505414f9902105e4be
SHA256 5ff10a9b0b0ef35d6e39bbe9d104b3515658f7084d9c5a7bd5fe08c2a72f3bbf
SHA512 e5aca6fd5aa5c783dd89ca90d3a752ef4675ba5505ba65fadd7331872f8795e6693dcae01515ac8bc11b18859bcafbb5480b6f57f2bc1fb7842c981479c05538

C:\Users\Admin\AppData\Local\Temp\gIsG.exe

MD5 a3d01023b95de27649bde5a20b74c001
SHA1 7dc7f2073e72939716fad7a74278d4c7b99dcf5b
SHA256 8725bb3bfad2e8e661cc46af9099f09810396a295880873cc053815f0e60c6b1
SHA512 90e61d1021219a0a11c0d1e80f436113afbf6237bae1953ceb010bf2a658b889b8244a22037aa32b4e2b0a14793cd2d685df11a1691768751cf7b75068ad80b7

C:\Users\Admin\AppData\Local\Temp\SQMy.exe

MD5 e3fbfb5de261ecd1893bdcc40713ed58
SHA1 ba8c56b743523f6c00a79ed82bb34c04b7d7771a
SHA256 3b2f6ed9174484c5897e0cd9c8f65edaf628b49bb825dbfcda77fda7aba48a95
SHA512 aaa24e4c2a119fde73bdff64c51197def15fba1bd1eaa36e74a559d325bf63a47104e44b08ceb8cf4280263b76ab522d24f9a7cf4001699c74e06d7fe1e1b503

C:\Users\Admin\AppData\Local\Temp\GoMoEcsg.bat

MD5 1ffeded239d8249d9fdd094f26809e8f
SHA1 ebbca7bb15501dae71c0eb5f3317a8d129329681
SHA256 e71b8fe6d8dbec4acf4e5e2d6413eafa6dfa4274c0d080cd9821738373784d20
SHA512 8cf87452a3512d3ad96be398c7721e58d256f29fe2f22df9d9b538f31113a189b821be945a01c955c6c9702ed3e18ac4cc78892f9d4d9c9b38acf50c48fd57e4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe

MD5 2613e51878038c93e61a20fb19376b16
SHA1 b948784c491e3bd2bbeae4ef46a86ad63cd5b6df
SHA256 f9286bdfbd0e1f06514cfcc90f56087203363522236b6719c7df1741354a8c4d
SHA512 2ee5980c0818aa22ee1dd3f7fd4ab152906ce08d79fe29885f3f08dc1300efe6ef16c27e09678d0b90c074e4c1d1ea6ed5693b90b7bc0fb6c7740fab90a115b5

C:\Users\Admin\AppData\Local\Temp\yAwq.exe

MD5 8aec6b23647b00e74bfc9364d15a3aa8
SHA1 6f85e913d895a79a58398b10eed2bfb598e250dd
SHA256 2b38a795b8391fdc89d587c1529cbe0958eb58114ed2d29bae2005d5c29bdc18
SHA512 0202d0e6883d778ae8e47add0e0415b8c733174a5f019fc6f6c56cc4fb0619d62ca72832904dc3624ceceff56c0084276633e22ff98af032c52014871a7a3c97

C:\Users\Admin\AppData\Local\Temp\Wswg.exe

MD5 30e4db21b8306fb8d5801556a39fbc18
SHA1 5949210eb7c4d49775fd81bca4e3d0a859e22305
SHA256 70381d4da80abcc470b07e4947cb34f93dc1ac261d9c3d0a36964e7dc0e35afa
SHA512 7d0387658153e719c7dc626aac907799b4cc425e327fb95fcce4bfa89adfdc995c820502ed798aec55118fff1b5d8192b9bc771d1044d0da391ac356ea619d44

C:\Users\Admin\AppData\Local\Temp\cMsk.exe

MD5 f09b3fc2a1ff1b0ce6c1830ffb5f66b2
SHA1 f0d0c80958d3985c1fcc204d10ed69dd0c2c3cbd
SHA256 bfd88d3a27ffb6e5af470f9091d4ea52956a57d6aba9b8b6ee5f11e8c6d54e7f
SHA512 57ca5dee7432f28fb229a407c4e8e181e40496564a99fb66999ad19d6ca8323ad388e206aaf5d588611f1cd3f3a729954492323132a5b7715e2866b86eaf6985

C:\Users\Admin\AppData\Local\Temp\YYMc.exe

MD5 e55d6ddcfaaf083efaa6d224c37fdbc4
SHA1 99e905dc9003e81c4131c72edb026df391167d8f
SHA256 b5edb8c2923e5e63692b56a43a5b49e9e68736a0c8e8247ab93258c58e942b70
SHA512 17d62224595f76c3c1152b27e9b500e4737b8ab08d69b1e453f488f5bcbd21e210b401bfae2e7ced85b5e7e6f71c3f94f8169aeb1a6403151e834be7e497c768

C:\Users\Admin\AppData\Local\Temp\IYEg.exe

MD5 06bc2c77dd33885d53a5fdec0667061a
SHA1 6a35f4dfa2d702f43c97b64d4c21949154351fa5
SHA256 084f56a580e8050e25a5cd5230c3dcf0dc4052392d8213884b35001bd56b19dc
SHA512 7f8c8392485cb0861d0553e8053b208b79c458b13c1a59f0137de5f2028eea81319e21e889d1a4a86033ca1984d64002b3796514f51fd4f01a72dca8ecca5be7

C:\Users\Admin\AppData\Local\Temp\aEEm.exe

MD5 a1e48d1e99e1f2625cd6a7d1c3587a8c
SHA1 8f01bd31d852e09bf2fc62a1885b1aba22d5dece
SHA256 fea36c48cc6d3e0c9437448fa2d2b690d318b021705cc119248244bf03d0f2af
SHA512 cfbc497f7433566b24ca8bc33ddeaee45a98c9f7a3a59b6fbc291c9174ab34e739fc4901f1fd843b7f9057578f884f5e2b09c89e8f3af90cf38f9f77bfc0c4f8

C:\Users\Admin\AppData\Local\Temp\oEky.exe

MD5 55d11337f2aea5245a3598e8c0e5fc30
SHA1 023d5cb91146d148a88dd87caee438dc4f4799dd
SHA256 8b566f5dffc874ea0ca297ce8f02826724443d4fb212bb75164addf02fbb964a
SHA512 1a5e34ba8d16bb53040b605da19edb31cd6e261bd20af4ad337249356eeb4e3701b5e5cb61035f1ecac99f064590e1572b4e35dc7800fc73c1d832f2a76543a9

C:\Users\Admin\AppData\Local\Temp\aQkkkYkA.bat

MD5 31f4bb64157a62d37f762fe1d777f7a1
SHA1 df789a39901f4f3be445d59c783c4a0ede535ee3
SHA256 ea951bb828468d31f388487b263016e652843772c0c016d5c7bb25a8d6074657
SHA512 c69f19f29b439979b67872728df9b1c970626da576d74ae6e05d34f86361f2e847d6c14f723d881fbbff4cae367f955120939a35fdcc2d0d98d19cbb3bb34c1c

C:\Users\Admin\AppData\Local\Temp\AEsc.exe

MD5 62239f8414e59cbb822107dabdeb37e5
SHA1 81d55359b71ba8b805652fc425f7a840a66645de
SHA256 b5dfcfd26dd5ec7537e98c3d3a21d9a8b7b8572e312b36140289f65e30cdb98f
SHA512 b6b84f22064ef726c93669c0fd2223ec723d7881fbd6877546b5a21d2dba18a6b0bfa0ed024ce72de30e57d4f69f3a85a5538ee86e78058832517cae4072ae30

C:\Users\Admin\AppData\Local\Temp\WMEw.exe

MD5 84442eaee42f168aca1db43918088226
SHA1 cecd0f787e393ec1836bcf41276b933ca2ea99aa
SHA256 5032f86a397d93e125e0fc428fdbfba7dee43bbb9de531286ad9e27d1cf8618c
SHA512 6632eeb4e54214f9c6aac742c2e39c5557c6bf374b812282b537739022a167ebd2b6305fd7d1c913804e291b25b7663230410ea2871545d833748365674357cc

C:\Users\Admin\AppData\Local\Temp\YAwQ.exe

MD5 e798ca375e3324c8c9258f6f4d7a4ab7
SHA1 17e712759b6b855e2d6a8ef188e0547b791bb444
SHA256 3d80a86960574b06efa71b7e34da6d99586900035f3290de655bc1b72fac754e
SHA512 1334d4c29ed5a8be6d0c27b6d0cb89eb3b04ed7291dabe5bf0f07c3e051ffe50647a629d5b92d8c8ed1aedf966ebafa2d8f88d217aab48c1c0f84f3a2fa2c2f1

C:\Users\Admin\AppData\Local\Temp\SMka.exe

MD5 5f3b0140b5954732d75f93724125fbeb
SHA1 f5c6f3e1cdedf4430f0b346643f6e224ca6920ef
SHA256 2dc44ee20fe66c760c71cc23747753d01c574b7c583fc13d1fd12d560ef8a1e5
SHA512 7e2fd01b0eb5a9d75586919bbdc8ed5a4d4673aded4447a65d9216a16f6fa1ece5c797102e6c1894e8601d32fe3f14ba84cd8a99c57d9de946bbef691078447e

C:\Users\Admin\AppData\Local\Temp\DygocoMs.bat

MD5 30b1a3ac094b3bd2bd3e0ca36aaa126b
SHA1 ab58bcea40b07814ba5831ac87ca0188fa66cfa0
SHA256 af55a48f6e1d0d98abc980e6e67614bb7c83024b0512d970769e7e2009c8db89
SHA512 8a8dcf18e1e2528199589ff687d2aeb0ff81f2596a5b8f8a8c97ad6a6403a33f52f6e722e18a13235863a99debd05ac2c5277dcb7e58cb689104eabc55e8c846

C:\Users\Admin\AppData\Local\Temp\AQQu.exe

MD5 e0c7b8a0f5aae73a407aa43a58160fa9
SHA1 b2bd40ddeb15ad6531e1754532a447e29394dd87
SHA256 c756c2c54b4dd67bfad3915a237014a555dfc3ff2d70d6c5722691a8dc8dfddc
SHA512 c8ab4a15d1e4f4b1669cb046fd996ae1a84bf8837d3a265bbdc2933f94f7f83b2daec619a6111d36c03af3a615d63da4994a810d66fdbd91670420bebdd1cf82

C:\Users\Admin\AppData\Local\Temp\gsIY.exe

MD5 4c9bd08c60cab9c1479bd63ef6addd9d
SHA1 93bb7ca8c903ff956804382bcb9508596eff78a9
SHA256 7f5b1962ad7412119ddc6729b0d589923137e5cbd24cc8d01499c289dde7e7b1
SHA512 b1d9afddc22d803863dd6aa7cd75eefb2f65c28e4d2bb56ce846ef6c36dcb547745d6e732f373bab5961c628b3f23449a88ce38578bc09a7b7ec6d093654bb50

C:\Users\Admin\AppData\Local\Temp\AkQK.exe

MD5 aadb7383606d33ab80e7634f481a11bd
SHA1 b4b897823dc249387e8e196b8dfd7d16d4d4e0cb
SHA256 0c2df08c0712d46bdcc49327b8d1091b0209f9501395f23f19484e0e93781638
SHA512 2c9e7afc0e19bc8b787a99f2ac484011d7bee8a94b2db0526a075c39d381bbcad979861f2a61710d9c138d9c8b48c3a55079f46120e29d9137cbe4182bc0acfd

C:\Users\Admin\AppData\Local\Temp\WCEA.ico

MD5 8e03abdaa3016247fdd755b7130384bc
SHA1 08dd2d9541e1961b06957fe9a19ce83aeff51a5d
SHA256 42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8
SHA512 e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

C:\Users\Admin\AppData\Local\Temp\acIm.exe

MD5 89758b325ee7e3b089d29106e3c4035f
SHA1 0c74ccf7e77216346f77b247105a02cb8d71da4d
SHA256 6202b0b2ce885bc5e21347324ed58e05391d51d80dd822e2da3366f7e23a16b6
SHA512 c06a8e0c6a841ad99aa3a6603bd94104362e863e230701b0e8cc1b4d478e289262c2f972a4ceece18322845a83b29b1ebcc14af72f9d1acf080ce4c9f40eff86

C:\Users\Admin\AppData\Local\Temp\uksW.exe

MD5 9f900100f2d1d96fff1682e51e95cae9
SHA1 b662b233da771cd7d2baabf5af6d926eb0c62fa4
SHA256 e7d07ce7512f04a81f554eac62646045458e4f4112627d8ca04ecd52ad61e9b0
SHA512 d7fd7ea85c31f7ab1a3ccafbc54506614b2891972bad5a606ce26c730d414011b26d1fd0a7780cf4be8f2a25cdcea59d305372c5e2ecb870dc50d8b8edad1679

C:\Users\Admin\AppData\Local\Temp\eskE.exe

MD5 ae748be7e4e804950b9142a4f7352bac
SHA1 968938405add84fcdf83d30c8501bcbb03a47f73
SHA256 4a9be7270892b4122376c9580e2eb6d606a2f0b2be3afe9bb2e6f3c16b40bd3d
SHA512 a4cb96a8d10bf3b4e05c04e0d1a708fe403a6118125170191c10dea2b7c5e3e22a195225870c8c784587507956ececa9505ccd6bd5a7c6736cb8b8b11e2fb940

C:\Users\Admin\AppData\Local\Temp\EQMC.exe

MD5 3a47b9aa0d3f5a2f3462e67e7b973425
SHA1 479ce11043d17d68b854fbd09c677f419cd3df17
SHA256 8054f31e34f3dbf311f72c7ebc7b1951fb8184fe341f75dc3298a736de30bc44
SHA512 3d89ca8b378fb7b5843ad2a7609cbac484afad136660c5381dcf4b0901817e528fd91ea849a39184e2d0ec527cdeeee5fd9becd04ccb4a1e561ae25a38f8fbd0

C:\Users\Admin\AppData\Local\Temp\Ywwy.exe

MD5 23612f5cfecd41a106cf7ee2f39cedeb
SHA1 eb809866e4f99e22de0540c6a9b33d791f8a712b
SHA256 faf908243ba1a7cf74022244530fd09df61a657638a3a9f09961ea02b5aad7b1
SHA512 a502a3bc1f6d0cc778383c87443d3a2238eb765deafe8d50e83e327bd83becdf88eb3cf89304992a882d5cdb608ecbab763dce175033a0359c2921c44e856134

C:\Users\Admin\AppData\Local\Temp\EYIS.exe

MD5 81c7f0be94a3e10fb071ae7672307258
SHA1 11acbfb70b38dad75487a392195d8ff647672235
SHA256 fca15112e86d21af4732d10d3b563344a03a60478996785209dc7381ba780db3
SHA512 9336416d3ec2d6d7240653899ce8c57c985244156ff24e960b29530726d2ad8f0239f41483484d62fec730e9fb0deacc362b895848998be0b92d6f6519cd37ab

C:\Users\Admin\AppData\Local\Temp\xEsUogww.bat

MD5 4f66226fd717f3973847669f18c204ef
SHA1 70b9b3592c693b225b7c1108461cc69c25e9f835
SHA256 f628b0073db1c7efd6c9e70215d834faf145aaa80a97019a56f6d12db7088da4
SHA512 ada87b974c5921138bb071de6c74ed14fd23b3732cc835ca60931b3473462b42aadc6deb80aead0888152db31b97c8b1e9bf8e03eeef09ee7cb7871d3679a071

C:\Users\Admin\AppData\Local\Temp\iIMq.exe

MD5 11af23523e5f22e7e553d1e6073e665b
SHA1 d064436c762c297c875a1abbcd1bf466ecbe1be1
SHA256 4cf4e82cc14715601742d943d05326759370a49b0af51a3a040df76e58747f1c
SHA512 8565ebdb3da04bb3ba1665dd1e7d47001f27717a3816db7fed59d571fd1d50c851b5acb9f07fe2c657fffca4b0844730c65731deea49ea1c8822a9b86ae7b702

C:\Users\Admin\AppData\Local\Temp\eoQU.exe

MD5 4ba85d6051be9e42d2f4ff0c94181b62
SHA1 b51901711cbe846ee115372f6f83beb3d5726a17
SHA256 5b6d181698d28fac4d376c192c22a30d5e3be36f14d3e145c816dfe63bc335ac
SHA512 7de5b84c698e76965334e3665a70e8386ea0cc2747a2b9194dcbaebfb351a5feb431b4d9c9c34b1d20357239f8e3995cdaa7cac9923c9243d7cec3395b3c6ac2

C:\Users\Admin\AppData\Local\Temp\uMIe.exe

MD5 83426101c099cc05621490629d42ded9
SHA1 9e043726ddf5b8153a8d0749c0a593d33a694d2a
SHA256 c5974c819f11d53bf3f099bdb7461d84f09d4cf68b8d464374fc785e5904c13f
SHA512 63075b2c07c29f368884802d2b3628c69cacac56d2577bbb122769fafe6db1f9c71fc79a8338e133b1e4825acf0baeb263190d6f4acd3ecf39886e03e3fc13bb

memory/1740-1745-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CgwW.exe

MD5 1b4a3b8eb95f360876b68b1845519203
SHA1 dc4ab17acf8b5f990e452caaf2a13581f4d6c2a3
SHA256 ee2d4db59fa16cdec18484a64094f61d4bced0c1456de2b50c748e9d4a3099cd
SHA512 c648bac7c30e98d39e3e9cdbdafa1b74add8cccce9551a3944a4602f560c07cddf1db6e925133415d9a816ccd84f1a32a5429c51316cd647dbed1490638ffdcb

C:\Users\Admin\AppData\Local\Temp\iEUm.exe

MD5 83e8451b55cfb976f82a012bfd0af205
SHA1 8cf08458d96cfeaa41077ff8966f4f4cf2212ac5
SHA256 91777f70372c6208e94b242d8ca1074f6bf8d6995700bc6762ea01a1606007f8
SHA512 2c56f963e8fb7cd03b81d5f31fe4ee53e2b5cc304dc46d28362a38e6c04e64444512aa9ee07ab8bb421461bb00aa682b24f0ee3215783641605e97eef71f7a75

C:\Users\Admin\AppData\Local\Temp\oowQ.exe

MD5 89ade70ee559c51e8ced18717404d21b
SHA1 cdb4e233a8e290ee6833b7e2c89bbf5555007cc8
SHA256 b40ffa223894237ceb2bb196c2e9aa0a270af46dcf5b2e9a13871fe244927556
SHA512 2784d0ed2fba95eadea31c27f4a5b69f4b8957a58a39a5ac54ab4b68bb941a7075902c4663fa304eb14e6654a56da846b1d6216b75bf74dded13f1cc7310bd2e

C:\Users\Admin\AppData\Local\Temp\MIwa.exe

MD5 3ed188e2baebef906d039d8bc6433341
SHA1 609ddb66b273f40521a204a94b25cff272c5529a
SHA256 46fa51aafb47ed339ff87da6457e0cc5779362c150d13c1b57e436f8c5bf7f7e
SHA512 731829f11a6a41ab6c70c7df0f5faaaa24853dcf6e66638aaca258627b7a39345671812773726efbc85858e73394d8c60746031a761cc5f111770b80e121f5cd

C:\Users\Admin\AppData\Local\Temp\gssu.exe

MD5 359f7b23fc858d4d9701496458e53c8c
SHA1 f5561f3f09b76a128c7463d6a70b23efecfbb593
SHA256 1f2dddfc1669297e442685955e5cd9872dcfd4276e96fa4f9504d542b9521c61
SHA512 710d4beb981104ff97ad2029c290702f520721f5dbc9a7b91979f3a6fa6195de395b3cf77bcae5e5504e22647c99a92e406e72395fcfb1a6f6b45391eef946f5

C:\Users\Admin\AppData\Local\Temp\SYMA.exe

MD5 8e02a912f2daf43996d73548aa0a365d
SHA1 a7310d85090f21de57c476a6ef93db74919d6057
SHA256 127740f861f4f4898b1eb17b0cb60ed3c323951a5ece7205d809e9881e163300
SHA512 f0f5567b06d24c75052bbe878a68e9afd662d8a60f6b71ddcd74da23c81ed7c141a0561d36b1fb0df79d7475b9ddb6c07e039142d7cc4e215a994fe518d68908

C:\Users\Admin\AppData\Local\Temp\IMUm.exe

MD5 add5c3ae8c3b76ac4d4d033e55ccde13
SHA1 98a97dadf393c4ff8c136ee440ebc7f3d1fc1b59
SHA256 fd76038509d0db48f64bdf2552478a34140571c0572b43f2d9b92ab44e37e335
SHA512 57efef09d28843f0d527388e8f4aaf0cd520d92c84c585f5393d9926bb869ac9ba1d3599708f42c02e5c56f80911481db1f5de042e08a72db9454ed78431cec7

C:\Users\Admin\AppData\Local\Temp\QAAc.ico

MD5 97ff638c39767356fc81ae9ba75057e8
SHA1 92e201c9a4dc807643402f646cbb7e4433b7d713
SHA256 9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093
SHA512 167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

C:\Users\Admin\AppData\Local\Temp\CYwE.exe

MD5 837864fca91de4a559871544467f525b
SHA1 950b3e3a19e1e0713e9bd6488dba4080cbc0c865
SHA256 58af6e93a688ae7c19a0d7a637428644239f0bd813d91a033b82a512128f6ef0
SHA512 996c9b07f5fb94613b36082f8cf2e77f706a15d699cbed870f4982cc2e9db53c63ade6da3267c8daf3064ea74e4f3b4568f5317023fde6f863ad2317b2669119

C:\Users\Admin\AppData\Local\Temp\UoQAMYQc.bat

MD5 52de3d60c35805d63518beee80d33094
SHA1 ba01578680b155d330dda89fbf3fa8f053164b21
SHA256 aa94234093c6754e41399ef0d65337dade99c338142299be767bd5933dcd23de
SHA512 58459cba50b95583a0ba590817f7e6ab5c3babe184f8a59865713fd733a9c84ee27c5a100096c07af7ab9b231bd32557bdf217bcf0b48446ece39756c0e05cc2

C:\Users\Admin\AppData\Local\Temp\igEs.exe

MD5 538a2f9edca76f5254fc6d98049decc7
SHA1 9b720b8c895d0909afc14d2729737783428384ce
SHA256 02f3752a6d0818ca3b4cece6caccd8de4e30b4c9f58d2bc84498efefef01a6fd
SHA512 a9e59ecac7cfdb6bfc570910c6898732618fe2d0ffd22a36eef1c46d21f8a01362c077d545acef94ae246d616f8d58a70afd52d7f28f1e1bcd4cceea2cb56fbb

C:\Users\Admin\AppData\Local\Temp\QYkQ.ico

MD5 31b08fa4eec93140c129459a1f6fee05
SHA1 2398072762bb4d85c43b0753eebf4c4db093614f
SHA256 bb4db0f860a9999628e7d43a3cfc5cd51774553937702b4e84fb24f224bc92e6
SHA512 818a0e07a99a12be2114873298363894b3567d71e6aa9ce8b4a24c3b1bb92247450148f9b73386a8144635080be9bb99a713f7ba99cb74f8e82d01234000074d

C:\Users\Admin\AppData\Local\Temp\GgQM.exe

MD5 aae3c1717dfd6db429de41150870a672
SHA1 0061c93eac7f978e094c48a0b7b292e782f8c6f3
SHA256 e58cc2ac519591aab6ec738910c05106e54401d8e8f4061e697256bd4c4ea6d6
SHA512 077d5a75cfa39bc595fceeb8f9e361aa8eb7f7b2b56e4b749ba749dbf0c44355d9d267fe8893dd7ea47595649c30cea1ccf68feb99757faee6ccf674f8842b7d

C:\Users\Admin\AppData\Local\Temp\Icsm.exe

MD5 12534dc62bb67048086a729f68815a67
SHA1 6d6a40bfec46773818a862c99401a320f8b76f56
SHA256 068acd3a3c2f5d82521939fbae147a429052dabe20eed7db6b92940294298814
SHA512 f172e6d077e441719f1d474949a6f9f67b364e62d6f91bbceb35ce05516ef21fc1ee5ca3ddfa27397225939b9fcc5b92213b6ad37269e91e90700c7748d42934

C:\Users\Admin\AppData\Local\Temp\wYwu.exe

MD5 4832489ffd97e3e16c5ee1243fb1ddbf
SHA1 2635bdc2ce50759401fb52cc0a6ae0da11113052
SHA256 800caadcdb50ab5f254153bb054c03d9bb21235b6253b8731580dd28014cbae1
SHA512 bd1879bf841b536dffe32911aad6d262bea21a559a74df786348611cbce67bc6d51857cd175bcac0f6b8f4f6ea890a19675bca9753630245ff31151d6b54b1bf

C:\Users\Admin\AppData\Local\Temp\scME.exe

MD5 a2c1a411d171b921e5e75abb100ca406
SHA1 47ed61659dba83162baabd560597d4f671d172a5
SHA256 9a915a4bf2899154d53b27628abf6e7ed6a3daf277aace23137478925eeada85
SHA512 007e88c47d64ab5cd5e9573e09fe6e4140dde8675052e4cbf8a4c1fdbbbba9f49762c48aea0b19513fa85fbaa56199144673f6f62970a6d4c9a5dfd6850d2cc3

C:\Users\Admin\AppData\Local\Temp\Amgk.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\wcEU.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\owEQ.exe

MD5 204d87fc617842f69bec54c5b22cf6f2
SHA1 161a4e5b04da1008fe5c8b53c6a0c2292eeaed29
SHA256 bbe828c8c0e9c0e6699056fd7ea010e760d7b96e057ca0e703746969d42f2ff7
SHA512 cdc7e99bbe72bba0cc872fbf12ca32603b1be0976c193807f9353527a31ebb599ed4520a88430f13a149e930b025a553d04ccb8a3a260bab452148a48a1c4611

C:\Users\Admin\AppData\Local\Temp\uAwi.exe

MD5 134e0c781f788cc116e3a5229c1b5a8a
SHA1 c7cd8db0aea61d368bbaed18039d75a0d8a4e1e7
SHA256 e773f3e44926945513b760793a41aec39a68f175d3cf8a963a5803d7f3e0a56d
SHA512 068c6cc1c60add8baa12e357707a4567c51c29c9950a59307d1fd30ecc5107a12b4d347d4f05d8649d2aa8a4f3c69fb1649657e7dbaf3351dc2977acde47e80e

C:\Users\Admin\AppData\Local\Temp\kgYMooco.bat

MD5 b6f6fa5c0a9ba2d29d5b8e7224901b90
SHA1 16407e467f298e8ca5e56bdf5ec13e3cb3154c66
SHA256 6b0dc821ad0060c27c43b8f3188cab3c2219673f2ed2f027410a096214c44121
SHA512 d679acc7fd48c7631ca25a53d13369cfa3613bfa5f96057005d1f6af66478de8aa43ce4d0e0d1dd2538d619a12b6a50190be28f825b0b64f6ec22dfe73b8cf4e

C:\Users\Admin\AppData\Local\Temp\UEEc.ico

MD5 5647ff3b5b2783a651f5b591c0405149
SHA1 4af7969d82a8e97cf4e358fa791730892efe952b
SHA256 590a5b0123fdd03506ad4dd613caeffe4af69d9886e85e46cbde4557a3d2d3db
SHA512 cb4fd29dcd552a1e56c5231e75576359ce3b06b0001debf69b142f5234074c18fd44be2258df79013d4ef4e62890d09522814b3144000f211606eb8a5aee8e5a

C:\Users\Admin\AppData\Local\Temp\mwEc.exe

MD5 5dffa111030505c300841dc090363979
SHA1 df1af8e5bb1c0c0f4b40597f9f05ba18a82f3c99
SHA256 3e8b5c3dc20eed495086678b8a6fcb94731a3ecbe7faf1c2646f6ac641df701d
SHA512 d9bf70b36a3b836cffc2d1dc8a8198d6ace0ec1de8b1993f241d4f6e2ff93104f779c03b63e6e13ee9641d4a4112072bce6575f205e279acfb3a830f28299d05

C:\Users\Admin\AppData\Local\Temp\ekUo.exe

MD5 d8aa75602b4310234c5e4e5de08f9cb8
SHA1 939ec989fadcd15913e956d4499eeee029739704
SHA256 cf6c949b12aaf39e3798f95bad1a42863051069ec811b098b5301347958d8c80
SHA512 fc1117f36187a7972ec20e139897b7e1770150ab4088ec9b363cf27bfe6779d63ebd930e84a73875ac04d41d4607e304552eadd03c85cb694d777c87a44164d3

C:\Users\Admin\AppData\Local\Temp\ioEq.exe

MD5 58fa2fbba4a72f9203ce4ec6b842f12c
SHA1 0840a22193342dce3bfd57a6da347316239f8add
SHA256 f6855b7be7e34833bd6e6476c7e8c2116c0089a77dcedbdaa780384bd347494d
SHA512 4dc7c23456c49c328d85e440962bd509af1f2403dc4e3e111d45c7f3a6da8850d77bfe1312dc153dba90859daa817c372be3bcb0c6bfcb4eb81b84c7f6ee02c4

C:\Users\Admin\AppData\Local\Temp\gcwo.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\uswM.exe

MD5 8c06d84fa774dab2db8b42fcb59baeb7
SHA1 95d5f7a58fff0ee54dbe6eebd9b0dd6be40281c2
SHA256 e59506ec0da1b95cca067a076626bd53f94ab8cb025877df4b7f0db3b773a5f3
SHA512 ad58b539b32a6d6fbfd3560cc6b311d37af5372a7f90785433ebda9311eeb8d81c8df62ccff7a66a44b862aaa0d17adb762f34bdcdff5acc20f063d6ac532081

C:\Users\Admin\AppData\Local\Temp\MkAc.exe

MD5 25b25e277e265d61480efb9d9dd39185
SHA1 8c0ef1535604620ada926ba6a234ec5536f98aaa
SHA256 0181d95aea0fbd85c85806458a30f2b19b024ec8c82b6921dfda53782b7d084d
SHA512 805c745094c393e8846666d5859ca62c3f58ba03b3017205b6c8fe75d37f4147dd1b25005f49c4de0240becbe39f7a8366f0284f81526b50b5287f7cdc6f4ceb

C:\Users\Admin\AppData\Local\Temp\SEgE.exe

MD5 f11f6771ce80e5c29866fe539b1e8c03
SHA1 64112062eb3f880fbf55d81497a6b094319f9414
SHA256 b1124a9688017a69519139e655ed7b9437a722cccf22ff06b9cab8c8b469a177
SHA512 d8c2e8b0273ff8d55500d652976678686df51303b6b82eedaa6aac2c436ef2d51525874ebbf55aeee60246ac614858d24df9b5a2111d1b2f1d199c9f8d2eec90

C:\Users\Admin\AppData\Local\Temp\owUW.exe

MD5 2098f4ea1695b8bdee3aa6987409d8c0
SHA1 9cff6bfb73ece1f353727a3ea372a84d138b4257
SHA256 f73ce2f1455061270df0e7e545cd8cbbf7afc6afc16cdd0fad82c7506f6e8dc9
SHA512 e83a8888d031665292ee5193991a84a862edebddc3db7d61b92e692c7a3a41d6a758daead421146f2aa106fafa07d4176259f02d3d2a5a0e5ca731a138935d02

C:\Users\Admin\AppData\Local\Temp\kUwy.exe

MD5 b5b229da41680b7faaee37a4c9ee9e9a
SHA1 fae5047ac5b1ff80d585167723044a83697371d1
SHA256 d02b2ae5f36380aa0331efe9052adb6b3ae15d7540c50bcc9d227ca395bd0982
SHA512 05825648e0c8c4be5188393d4a298288c758f2b4b2c8e258c4b47ed4ac2a17486ae954e0141c5e215689c0d177c3f6b4941e14805d28e56a41868dd03073b9c3

C:\Users\Admin\AppData\Local\Temp\UQcI.exe

MD5 d4011ba53fc687eafa46150312ef3a27
SHA1 4540033adc33b840d648db88fe06da1bd6d5b854
SHA256 846365a32cadfacebe98142ae30906271f1b17d5e2d1bd8698b2dbc5c11756e1
SHA512 3d52d2d73012e7b1e16e36c22b10860297c1336244fb2452d1d10216f08dd2131e5ca0b7485736df78a69ed15d5f6c984b160c02ee7189c2bc8354e25c1ae415

C:\Users\Admin\AppData\Local\Temp\AoEc.exe

MD5 d80cea866e2bc7f1bfa6301f4e8f2559
SHA1 729772920e4cc76c88d84a5585427a29202a6e87
SHA256 1e130d0862669c9db53b3238a715a0c4f3b7e874fbf4dce9052d87df17562692
SHA512 672a173d3bcf41f6e967d2ce71303b330079c88321773becce18b4edd6a883419a5d431769bb235b7c1b7fbc014025885ffe61d912dccaf0da5936174a57e05e

C:\Users\Admin\AppData\Local\Temp\sAIC.exe

MD5 2f97fa443fdd9909b5da1f074a53385f
SHA1 c8f35e255c489003ec561c6cd290436cde6da9e9
SHA256 6049408f48ca9d25460361fd90ddd4a5f01ba59f216d899604165c28a9a434cd
SHA512 ccb144beb47b412d0f65bc0a876d1b27c9c54aaadaa5e1925f05b7c3c781f3a2145c5c02513eee934cce669aad00f6fb3b7620a3ceb9817c663da5231b1b25ca

C:\Users\Admin\AppData\Local\Temp\QogU.exe

MD5 d37955eb8b94606ac0b3ca17adb35679
SHA1 563ceef62318f0977a6c12eae72cca3b6391d2e8
SHA256 e27f2af8a4fa857292fa8ad7dac3b85f9d2ad610d19b4a15a9257093be8a963d
SHA512 e1c13d409cd740dd10f59c8324fc766cf6d7a88451890e6a90ce9d12677d6e8aa62ce6731b339d834f918907848b3d5a3ba61493fda93f2f3c66ce869efa53b7

C:\Users\Admin\AppData\Local\Temp\QEsM.exe

MD5 fa9b63e04a50016ccf46a4fa22cfe39e
SHA1 992bc1918992c978346b0b79a28c717fe097a16b
SHA256 408e109ba52cd22f0cedad5d821cbf94b7aa98cdf1008fc3e89cf9cb370009b0
SHA512 e641c0c3ff43690d1ef32558d247d095222410bfef78cbda3cb9a76655f155668350bfb060798fad18206fa4ceaa608172e41c124fdcf50f95fbd0849ac63fa9

C:\Users\Admin\AppData\Local\Temp\gusogkYQ.bat

MD5 125af1fc4497706d16787b41eee2b74f
SHA1 f9884c7c13fc422b2bbaf61528cef4733c41abdd
SHA256 fb34cf35c7ce911e3688c5a27169fa57d55c881e09c6c3e3a81f8e6825e2762e
SHA512 6e96c5c16e7085be3455f7bc31465f2fd9d1fd61c0bb5467d7d225e9e7c1ccdf6b0262a493aba7fe6d6c59aa3d5d848d816614c3dc3f4d094e84b6247467444e

C:\Users\Admin\AppData\Local\Temp\yAMk.exe

MD5 364c69b684191ba8ad8aed29fdbf0400
SHA1 5387563e5aaefacdd48caa7539435d48690af7ba
SHA256 a71300b1ba6845bf011577dd1ea277327857a169447b04c1126396ad593a79cb
SHA512 2efcc3e8dddc9a639c7bdd7c9947757f487c67215ebc3cdcbf49c73ccf7e162f5e8c0bacd2a5ee4492b71e1776c4c75cf9a787e56e1311f2ed95d01f0fe3ab48

C:\Users\Admin\AppData\Local\Temp\ccce.exe

MD5 3f4356bd14cc169f1c13ada4dee2a012
SHA1 a515ebba470e106f76738b739c6221c1980285a3
SHA256 5b814cb320808e59926f0a8d51ad0a08a01eb7e9ee2ebf46906a1d638b1a91ff
SHA512 e244ad30b1c63817a4b8b92590c122d51646a6d636e1f9b476f9f9f658a85615a5e1802b8758961733424970cf6f1b6b5452ccf8c4e3042d862eae1835d4c151

C:\Users\Admin\AppData\Local\Temp\oQYs.exe

MD5 b9dcc669f1ad019c26753c5ad230971f
SHA1 6d76030f149806d8be347a9925b42f576f4abb23
SHA256 f33589873f0dcc26a5f74135211f4fe880ea41e7f5e05425613f2651129ca805
SHA512 8d394d4ec9b26aba4215ff59526096e1948f018b44af26a21016c7179436eeb7583fa0da4b65195f668145e4cdec45f0a5af8f6e6433c6202ea5e9b57e6815d6

C:\Users\Admin\AppData\Local\Temp\SgoS.exe

MD5 61aaf519d34ebb442e9355ace72cc356
SHA1 fd83e0869202b776a7b257ff2675aa7c997541f9
SHA256 328991e33d49396803786b538d2826bac94e0e916dbb1bb768dbf1d811798d57
SHA512 e43db3a771b7f7c8e72c10f6ff8fe033277d072e8a97e677bbb7fc20f876512b23f14695928750903be16aceb18965919116d54eb174bbdd679a4cf5c8f83657

C:\Users\Admin\AppData\Local\Temp\ekAq.exe

MD5 a8315c444e6f209760bad95b27bfdd24
SHA1 21a9af079dbaa49a4ea5e4bf3bcea887507ae78c
SHA256 77a9e7ff2bc232dd8fda984eaa992761efde2fb24e0dc9093e268ad46db3b1f8
SHA512 0b2b04c1dfb1d19c617c2ea459cff083674409856b35ff981b770276e8ccd191341c030c8f82ebb4c5304a4ab734da8f8694bea1ad35876355928dc4fe8f5f0b

C:\Users\Admin\AppData\Local\Temp\ykoE.exe

MD5 dfe84f7b5cf7da2a4f59bdbf5b193226
SHA1 69a9c26a198bebc9543ee45728b0b97b6263778e
SHA256 e658b24fb5115a94c9aad2484e7e46b46c7d219e1dcc5cd56c61863681d21ed5
SHA512 740090e7e1eb9584117f5c2757f09ac69bd75275ceceaa169630e8e633c6f5ed24c62879c69b6f718af2f62222234366eb1e763876db884ec671e0d35b6c2e95

C:\Users\Admin\AppData\Local\Temp\sIgY.exe

MD5 b08f298b742c74bf33baa9935bbc8632
SHA1 ebd814c02b00b56f787f0cceaa5ac811e7cf6f8f
SHA256 7fc510785bddaa00606a4762aa5fb54050fef6658e1ca044752a1ff8efddb75a
SHA512 c7887a37be43b8f72fd702d4264eb763aca116a16267ab9de5aa77b34c609b7d0a261e2241b1f0cf6a8bac6454e0ba28e78532f8f711920dfafbc3ce4ab2bb0a

C:\Users\Admin\AppData\Local\Temp\IAse.exe

MD5 188512779e19fcc525951cad730c9f67
SHA1 0900e7447eda289780c18f9ee0302678179324d7
SHA256 bc1ac3c9cbb9212547df551a1ae6358e4b6ced827aac67002eece7a4f844674e
SHA512 e71c8ef2fbabc9591835ea876f9a4fd1ffc65be8835b08066c50313bda086e14b7348423525e229714fa7df804780515639c3dd20faf3233cb415a800ef7bf4e

C:\Users\Admin\AppData\Local\Temp\CUME.exe

MD5 9502afc7f0929e641c5628863ec8f4b2
SHA1 37c20cd7aca21924a8437af7621ed10d48ae0f2e
SHA256 e655be01dc6ae3049044cb7ec0bbcb84ccdf8d8bdc836bbb2dd36445c8f2b7f6
SHA512 37d72140d6b7266c7354204e3518a7a9a680625311029e7e4efcfc2e3c4a4b7eba38429da2d301ee46da3c840677fb0e44e1655971ddcc5612318f92547000b6

C:\Users\Admin\AppData\Local\Temp\OUgI.exe

MD5 7862cd9cc6fd42a17377732235807412
SHA1 c4d8f7a92fef3c26e132fcb61999f35ded3867c0
SHA256 191cf56063a9205d6c95d0366a644a6b49c4bdccbbfe368256d6c5624b4e90e0
SHA512 807ac838456ce2140c4de835f8ce394bb4b127596c0911b821446bbb27ec86f281377a9322f17f1d16f558b40817a97968305184c4dadca8da38a22257c2ca73

C:\Users\Admin\AppData\Local\Temp\gEgA.exe

MD5 2e298075c8390b352628e6ff1ec79206
SHA1 f5f12b6a3e37f57e702fda42dc1be5d0853b3629
SHA256 9bc2073d1a7628299e4a709a355475a609e89b9ed297c7e371b46ba09b5057a6
SHA512 22d422ce067ad91b2d227c85fb968a8deefb25f50f5b96094149d959c55dafe248227dd389b9ce414cd9abc4b8015628efe9dbd4ca6895dadbc5587f595d77e9

C:\Users\Admin\AppData\Local\Temp\wEQK.exe

MD5 917ec250cbee8a423d2b66a17744db3a
SHA1 7b128c0d70ddd413a2c13d89ee31b94da3ebad02
SHA256 943f01ea571282c871328133ba9ef236b03ec535ceb5476391927783c8aba0b3
SHA512 d7668ab7c063f41e793887bcf68328f2e7b63f4d5ccec8e91a880a05074ec3d431678831dfeb7c5ed1806bedc28e8769bb2523aa21cdcf9d00257f73e0c14d10

C:\Users\Admin\AppData\Local\Temp\tucIEgUQ.bat

MD5 499124b0a7cf6849412f0a8d37c805e7
SHA1 910fa1caf0de01cb2550979788d72f5539e2f413
SHA256 2c38cecf857c947bdfa52e0a3e1d96901b5ab6f0114b067223e94b3537730993
SHA512 7ae10327c34b1cdf2cdaaf55c5a20f68e50e387a795c01d56cfd6ffbbbe3dcfb5a5337d3297b092640a767c6dc127254d9cc42f6c811db85a76de74ef144d976

C:\Users\Admin\AppData\Local\Temp\iQIe.exe

MD5 1f1cd589b8e73350048f180f6263ec86
SHA1 026b139c734076d2e523bdd1a625c2b494e32934
SHA256 1669e29b92cafeb495df51182e9ff098a562957fc6347b0cfc15b69c89d507aa
SHA512 5f5eb4637be0a314de672556324fb36caaa01388c89ff4bca1f2430b66c271620b9bb3d7a8c4c8a60c5736eea2b8cb6861ca567685358023828c2b00320093e3

C:\Users\Admin\AppData\Local\Temp\iYEI.exe

MD5 347dfdc88b8c818e4141ae646f1cba3f
SHA1 ad7ebb0b961352564918b1f6f5e5d3e120d63fa3
SHA256 9e9e544f3a0d0d12a75c0a48a3a4521bd10cd3f85d1c3803dc1f9c08cf5c3b57
SHA512 1b5d7ce4b7a21a109e37213951d8a91cdd6643b5f36ae5bbb024e9c779172fda8af915e4ab6075b6a7749f9644c6de7b35f0fd2fd6092690e4d344cbdf691aff

C:\Users\Admin\AppData\Local\Temp\qMck.exe

MD5 a675b6276ec4added12fca92719c5f2e
SHA1 dcd6c5a8e2fb3c2b74d72865658fc2a1106d4d65
SHA256 1ac3b65ca5f6250ccf9ed5ab17f41399178b39b928775e1bed6c5008e867d96d
SHA512 e817edfa44eef0ca15ff4c16724f8f0175b074cdc3a77f849d42a8b241bd184ae1bed6ffbdf9ba50c1140566fd48da5445a0e4a1e8b5b1913926a3235332b855

C:\Users\Admin\AppData\Local\Temp\IMkO.exe

MD5 245dde5f75ae21e7d3990db493fbcfa8
SHA1 dd9370d262063d2ad27917f22f585eb4ccf4d37a
SHA256 7fce6ed1c2eddb6662bdec21214de45c01e201c6090433b26f01e68974f3187e
SHA512 84ba1e67fe03fc0a62053c37f05348e5e06c83a15e689ebe49ab51606bba3825962d7c01e267bc5312344af47e17ce6129dd9780121774f06e2b2177dbd280b1

C:\Users\Admin\AppData\Local\Temp\qkke.exe

MD5 3a94fb71fab700e1a178ed5ede43dd9b
SHA1 28039c361a148172580f7d026015d003e1bf71cc
SHA256 65c36f0a6e0dd08f9394814a7661a1acbc64e7ca8412f3bfab11ff0949da165b
SHA512 6bf60a3d9248619db6d192b1da8914f0109f95dd83808fd95f9f2e9e169b3ea8eb42984b646273496323e5261d7ed74093cfaa06c9f9dde2f30298df6c0843b1

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

MD5 cfbf69a8590661aa9bc0b750f9699814
SHA1 45de1935ba2c9198dc42c440c5529acf0f224439
SHA256 c165df0b8939b8e31ee4f02759430238b9cfd2aab97259d7d608356e9b534b68
SHA512 fa50b0b33855f8774a9719321ede88d698687acf7901ae33e9231ca5020df7942e2c18cfc4022514b4e89a39a78adc27f7aec190661b1da35344fd6e5c060594

C:\Users\Admin\AppData\Local\Temp\Gows.exe

MD5 86951c9038abb07d3345515772b741a7
SHA1 dc3479e8e9049aacef1815d732661a5fdb1bda60
SHA256 0dbf82c71dde425aefcebea63fa9c0a82c3c952fe98da62eb76fad2f8eec3dd9
SHA512 fc5cead4a7d2df3f2464c2f7c2ce5f4d45219bf57d9565b9fbc009f71aa469c8ae47ee7fbbcd179118000173451ac3b09e6d036f6db9909e489c405bdad23c7f

C:\Users\Admin\AppData\Local\Temp\qcgu.exe

MD5 1b7f52cc49df493cc7470692a1e8a581
SHA1 7c0ce766579e22cea2a79313e0612893bf1db654
SHA256 cabc0f80cce82c357d9200ad2b91be920620b6eb0e26facfac08dc1370dd3997
SHA512 d3e2753da899d360f116729ab27ba9d894db4f6c389319f0c321f126a452811fb9224e5042d9874b5101aab1ba92bb3fe18d4d582bd0d8f39033cfb1febde74c

C:\Users\Admin\AppData\Local\Temp\sYYk.exe

MD5 4ffd1b6cd6d5f5d027f1d59604b4f9a6
SHA1 6dfd05df3875c511ec20c4725a7918a3bca70960
SHA256 4d34d2360165da344530dbbfb0b0581aee757f4495714296b618cae8d92ebc6a
SHA512 c94e1ed74a664fd7f20a95c275c0225a638e4bad54b07cca656615ca69a2091d9f615d31d2c33d215de15942222510d1bea26eb35d553caf5e35ef7438263507

C:\Users\Admin\AppData\Local\Temp\sMoG.exe

MD5 28b0186b7b6dd19f8dc4d2e4585ee246
SHA1 06ee6d61d15dce35b9d0f26cec10b5a42419f79f
SHA256 779412643c8d6e36366f7a0a9b5b8013761b6813946892210ee5dad5b2cd95c1
SHA512 a557f1b854931aed13f38e166faac287d89421d964d068cf903a15bb7b053fccaf58a077d782b2e826652a1d1db45f3e299f2ee5f686b6be8317b6e5f6dea8ff

C:\Users\Admin\AppData\Local\Temp\yoEq.exe

MD5 a7a0d51ba0ecfdaea32a8184d7c400fc
SHA1 50ab8c4c1ea2b2500f9514d3805ff14c5db7d104
SHA256 e4fc17539a36e77a930fdb34ebf583077975503f18b931f958958591f076282b
SHA512 a0f1b4adfd52d7c345efc40b94f0119b1e5cef3f5e95b440e0fcec49cb289646f4eaddfa8c0998d76c16a444ca4b1c4d3713fac8d87fa10baf14088e47ee250f

C:\Users\Admin\AppData\Local\Temp\paocMUAs.bat

MD5 cef79cb4a74a9109305a3f011b90d32e
SHA1 8cf9d7249b95e3ab497e15526ad2085e54493787
SHA256 7d6c1cb490033391b2fdcb07c92b391ed9ed8b545193f485d703546c4951c767
SHA512 d09ac589a9c7bdf1431571e1c8b1807fa9156fb663704331245feaba0c3987db0d5d8e44d596fcfbe60b2894d9f94014e2ce7f37449420fd1f083bbef122dfa1

C:\Users\Admin\AppData\Local\Temp\OQEe.exe

MD5 e10fef14351f8908a7e6bfbe0cce4dab
SHA1 3ac784ea9ab0aa417d3061fe6b0e793b5aea16a8
SHA256 3b3cdcee1d522fc1ab84592a35038e9d2147ef82ed13e22262d5bf060516997a
SHA512 89d57ee8ec218ae513b39a8ebfb1c55bbf7e1a2dc19b9051243ce71e9dfc46d9c82f7bf8238438435309dd8889746bb47732b22aad93b7d0ff07972d54449a3a

C:\Users\Admin\AppData\Local\Temp\KoYK.exe

MD5 625a335a6d7a2f1aed25e52b52e146fc
SHA1 dfbbdccb61ee42a5195780ceb2a8e8b55ba04609
SHA256 68d2b017f7e97f5d3566bba1b4af88997678b474f0ff44420e6bc0a68701113f
SHA512 739c9d2fb0085a10522f9654ac71235ce8c012fb842ebfb485e491146a4639861dc67bcafa9214e182be65825d824de048080e4e8f7f1f991203cda2ed9e7f18

C:\Users\Admin\AppData\Local\Temp\kIYK.exe

MD5 c5e16338ca07f20355d010588a9fc763
SHA1 dbe5929197530ced40c41264907c9bc0e5b99d9f
SHA256 916efa3ba5b2e1ae9b17f6959859651141d0d8caa817be56f7d223823a059ffb
SHA512 78570435e855be4d71b4224fee7b7b848d3e02d4263144e3942099eb0c059528bb4ee40cf603bf18de3ea8bc6796b52f0e04c89bd9ea083f48392a5df7fefe85

C:\Users\Admin\AppData\Local\Temp\ykMU.exe

MD5 c40389f6d6b3de5275fa31a3938057cb
SHA1 34d23e59d8a487ace6d977f551de8d52461865f7
SHA256 3bb2fbd4a91d9e35f2a13494bc4fbf93ff0d70a1b55e002ecc930e679084c0f6
SHA512 c6e82f99437ccda7114410bbdc84424d3cfc5c83d1e4e86181135cfc8102783487531961be4ac16da460e9eee74bfb341179eee68df3b037fc53bbcc749b85da

C:\Users\Admin\AppData\Local\Temp\Ykga.exe

MD5 86663db72f28dc18cec944897802add4
SHA1 8b6b4da06bc5ff28d1d00dcd01bc0418ef275cb3
SHA256 e740557436655c98b3823847ab6b4b0997b6f11b4e4ef6e576600a2497e12397
SHA512 e24e215e119bdf092d6a79a3aeffc5c16171227d68133d6e73250855b4ddaeee78f24682e37204a03a258d0e3eff97d91f6b241dea62563d784320ab12ab7bc8

C:\Users\Admin\AppData\Local\Temp\kcQs.exe

MD5 85b8a38c31bdee33ee9278119b114cc6
SHA1 40312da88b0c8fc0aa33ad29edc16b1d013a68fc
SHA256 d1e2cbc1d93200c29e64b8e02b194f88381594d21e7ccbdebf4ea8470126cee5
SHA512 4f33d0b1a552e6a946c7d4710147df90e8583418ad5f442870aa5064021dc6d864af6adbd4e1f211a9ea1a91795266d4a0d7f25a14a91bdcd76512a6fc0ba667

C:\Users\Admin\AppData\Local\Temp\MkcU.exe

MD5 c8705fe092680bb01d2cda634230d471
SHA1 d634ae7232b6dd06736efb74e764b9c7b711fb9a
SHA256 71cae07c178a1ae3835f371780542431ff579b52d357ef6de6b7344ab78a7375
SHA512 d7422220d1b8a961219e3e92ab9d169fbad3f9486a15fbbffedd8c9dc21f50154b12baa319c2c8d15f236b264d02e257488a2f9cfb984d609119627262b62a3b

C:\Users\Admin\AppData\Local\Temp\CgAY.exe

MD5 8b0ab4a1931184e2293ac718cdf8dd3f
SHA1 2c92685951ed5e4e47965974ed949d0506be74ac
SHA256 cc8eff38af0ae6b82b388dab8424c538beae915b9914d39643fb2e05bfcb5028
SHA512 caf6c72a4639a9449c49dbfd8b0cc41d2c6acc964424b75147d24aca8943f61561b8ae903673af30d0f5c33c5e0a4d0b6662bb647211534ee1c0a1f4c8cb17c8

C:\Users\Admin\AppData\Local\Temp\ocIU.exe

MD5 99a5e088bff84f6c007188beb680e560
SHA1 368efcde88d09fac8bd490676f02d103c115f033
SHA256 bc14059056fb0c8581bfc14a29f6fb2dee8f68c05199506c0dd9edddd6b8a3bc
SHA512 d15b58e9a8c1dbd9091ebdb616860ca272b81e690b903000e616ff35a09539d0cd22c37746c3b375339e2add6e7cdc7ac46cce923c6ab18e482b2f5dc8d16e98

C:\Users\Admin\AppData\Local\Temp\IqAQMEUA.bat

MD5 b3f847674244c7b81ac4386e39ebd794
SHA1 d26a12175ed5eb3af5a3b2adffae551a8fc9ce5c
SHA256 cae7ea0b6a4f132a3de190b30fd0b729f38955bb3d128998f9d066f58ff20fe9
SHA512 48562d98bfdf4d89ac98a4d76d5840e2614dcc231b60c53aeb08b1599c07012d9a737fd19eabae49b1162c37e38ab215658c6facac2905253c60ed96e26a1edf

C:\Users\Admin\AppData\Local\Temp\OUsg.exe

MD5 d5f528d6d329cd21e7192e01b2ba5a7e
SHA1 e40e340affda11f6849d6382382396084dfe66cb
SHA256 18faecc0faf84d12422b87eadbd0466f29c130f78243165c0166ccb3a8c27a13
SHA512 ab149ae9ab062d4cf810aed04d39bf2d95be7612dce0d8b1e4c03838c17844c56feb7210f4903d32cc37233fa003ef825b4d994eb8997cafbb378c532b8c3052

C:\Users\Admin\AppData\Local\Temp\gkQy.exe

MD5 fab83f65f8f8de3334d9bfd918c250a2
SHA1 895ef7c2be316fb06edc83b4caeec79c9e60720e
SHA256 691d0dd954740cf69055c42c6624866040073e6eb370169299739f636edff43d
SHA512 eaefceae6e4931b2c0efe60b35adbd6919244c0d4c95ed52a931d7cce3a9e34d4ca2556281e8b175321e9cf2b19b1ef21843bbd489a7dc3f8495d6a772ed5e45

C:\Users\Admin\AppData\Local\Temp\EIoy.exe

MD5 0115e62933e4c7a7d7fd03ccdaa12a20
SHA1 e08c4c68aa416165010d3973796c2c64973958c6
SHA256 cedf101013fcc9fcd95cd089411bad38f7e1d5b00813e6c30ffbdf98db7ba7b8
SHA512 4cc8f5143993cc9f95b1ef7dab02cc692e06f7b4f2f2aa983e72960f83078f1b3781be926c52028d1ff67dadd6e3aa02ac2d14613d6a94456086de6d76632192

C:\Users\Admin\AppData\Local\Temp\MAoy.exe

MD5 dd08d5ddff6212be5fd573da7e7b52f3
SHA1 c4fb521b85502fbe22b48e30678d276ee5e9545f
SHA256 463074e22ad828c75346a57e7ce98436a57b5cfd17cd7ab9d8f71ef68a30451e
SHA512 c5886bc22d38dd29ed192aff1d67f501e27ed56e2fafe65655bba0ad29d9559def47d442a7c12040d69624342a0ced84fb62d5768ede2a12a4f15140920e16b6

C:\Users\Admin\AppData\Local\Temp\MIcC.exe

MD5 5e96f807563493c92b740b89f8cc8135
SHA1 659ec6b7030a857c6a65d52d1a879a1d85729547
SHA256 b45f09b365a40acfc163884dff60dbc51aaf9d207daf78b111bde3df3a51872d
SHA512 b54b91a797c27b941b3350305fbbe8af5c71e0578128d02bcebfa99bed80d2ab9969eb8ddaa79993bd7f03f5968123d0d7e7a94405bb444eeaaff7056a108648

C:\Users\Admin\AppData\Local\Temp\AOMYMcYg.bat

MD5 5c0db2898be953cd39302d1c4ca88c08
SHA1 a4f0e46309df18c11bc725277082a59acf637a1b
SHA256 07b5ce7e59014b5d83879d5fe0f759c01eee807615f9f2c7d068f2d6a4dbb61d
SHA512 20c463e6e064f75a2f045a2dae80c118c7ea6bdf4a84097a982c23c416c04c9601062248565c3aab081d4e5e904566e6e90a43b25628358df0cc760e1a03a3ec

C:\Users\Admin\AppData\Local\Temp\ikIM.exe

MD5 069907d0383bf4ce25432beafe9eb17e
SHA1 61da874508f63a5bfd5769ecd6924f172ce09b00
SHA256 cda6ba87b146e826db276c968d0ee37a8ac40117b61182847060d58392fec8ab
SHA512 9f6e7e51429d6960c67765b9263d0cc2a352f49864739c0f72e2f70b99ec1f897b18cb3aa0ec7f5c999c77dc3370d7cb2a43796287d0f7edbd8c763931633605

C:\Users\Admin\AppData\Local\Temp\KQwg.exe

MD5 b2bd154fd6f8095cf2433dd03ec87dc6
SHA1 7dfb14d883e99cafda67c2594ec5a8954b02dc99
SHA256 af497f1e355846b426fcb0f4b08d8ce0ba73e668cf9d81ddee9fc99f1501f62b
SHA512 0cf2f3f50a6b185d8e052cea6798e71330fc8855aeff35a3407e654675c8a2bf1662f28e81d7097f21b08a0d5b8c10e94db4fd68b3e5942eb23a522df634baa8

C:\Users\Admin\AppData\Local\Temp\kMoW.exe

MD5 1c6f2a6061a7e346fa33f3316539acc0
SHA1 c05cd2910034a46b440c6aba85890d6cc3eeb9f9
SHA256 2216146ae216c802658a332f108d388f29b8cef45bbf92a06b9c6fb4f0a7a6ef
SHA512 23f5f724b74c153fdaced401e9e2f172053a5ac6a911654be2bf916ac59c385752fec7321ac42107b47838d34e34ccf704f9ae12724527a25e230f66fe7690c8

C:\Users\Admin\AppData\Local\Temp\AcIS.exe

MD5 8b11b5e5c793cec57df6fd0b0f041342
SHA1 075aad574f27263a61cc4b06f34982301fe93ed9
SHA256 cc959bdd9f850a19a094253effa63acbde09f4a929ff7682f6c7935e241de6f2
SHA512 7181a40bf5760c2c02c1a8c04b2826be2c111959e343869f6ef7a4ea88baf48643a32fff5f080935ca62c7d862a717837c9682f48ca69ad50d45213da3bb7b52

C:\Users\Admin\AppData\Local\Temp\uUAG.exe

MD5 20f2caf32bcb146da066da4fcce4495e
SHA1 589763b9ef8e2d1b6dd5324a623b11b93342314a
SHA256 ff1e27f15b594159e9aa079e176ed5ae00b3a7145de45ea1cccb4066fb835406
SHA512 dbe1778386c6d4dda5545faa6e467ff3544435f85d6b25cc678543f1852a10dc210a38f23904aec68fe79a842a4a846a43c1fb47fc191390e5b79cf62f0d8554

C:\Users\Admin\AppData\Local\Temp\fgMcQMUQ.bat

MD5 4bde7a9000507d1d7ce9259f39012780
SHA1 d17c2f815379b08f7caeb2241bc794f9b2b07149
SHA256 571ba093e3d22a6ac3c6c124581741baf9923b2a4e99359d4b51859ede62a762
SHA512 cbd81c9089e85b4ca941067a1dcad123178c05c24d65173c139d7a719bd646927889d3401c88c6b72b7281d676e465ecc5caba4462ffb96a39f24c052d6e3c5a

C:\Users\Admin\AppData\Local\Temp\IcQi.exe

MD5 e4159af3b7e37ed5fb6995f1bfb91039
SHA1 0eb612500ccf1080253fb858867e6fa4ccd60054
SHA256 06167294fdab5b7bf78847a7199b055557d2ac71504cfa86eda43a9a832865f6
SHA512 3fbaf99606e591a3b5656cdd639075fc3c26696681aa335f424492c1ed2296edda4e0a0648691b8c86af17fc62635d8b6f3f78580cbbf9073b79336ee6a968cb

C:\Users\Admin\AppData\Local\Temp\akgy.exe

MD5 9ba7fa6e5c6848cc7e890899a3ad1851
SHA1 9c9586b936c3c8b354b08d99ea015131ef6155b6
SHA256 ddffb4b3fbda12f40367bad4c94ecc0bdef8efbb241b7f7f3b8e4418948b4a89
SHA512 c00ff53a01eca4bed6b3394ce3067185034d76724c80f0c97c3d26d70a1005abb31ee717ab4744b7b8ca45459c7739c39de93a7e1e9288869a29836daeb71cd4

C:\Users\Admin\AppData\Local\Temp\NOIcMwsQ.bat

MD5 5436793877c2a58e1f90e2472be34c4d
SHA1 563216603a7799262f8cf783a5dd8ef574ed7eff
SHA256 5b6187f0b40f7942ba4e2a2736c2964a6640316e494a6617cd6679dd2dc7aa33
SHA512 cb4e2572fce7b1a40bd976005f546dcb71616831df5ce87d0a34b270d83f25374b09929611e708c9b6784317b01d632bbd07d5852d6e255546dcce7aeddbf300

C:\Users\Admin\AppData\Local\Temp\XAIkckMM.bat

MD5 3670d2fd2eb5d5067f3ff883dd30817b
SHA1 9e870a206cc91fe604998f4cdace1c1c1f89bdff
SHA256 30c124a3813670e0e7603a8ff21e2b0b507ef95cb433db6cedf4d64e62ab0243
SHA512 189953d0ae6c8fd40f243e6a03873c602abcf561d0c2149964cd18e3cbcfef8648b5dbd181481da863048202388b988d431034b67370b8efd80601df4c4ba2c3

C:\Users\Admin\AppData\Local\Temp\AWccoIAc.bat

MD5 ebe60956b0c0d50c2ede3e14c5055ce2
SHA1 2973f1c407b16e28c63d880f43520da4cef8905c
SHA256 1c0caf93c1d9191adee8cd8414e960f4bdab41f4c86899a2676d4a6a8e9ee071
SHA512 eb78d86fcf8a4f4bfd5c15f3fe73d0702d7d5fd3f4e4f19cc38eb59e605f6619ae0ece9cdf4dd1b20348258120da891922cca4fc4833ac4b6bef44b08fca89cc

C:\Users\Admin\AppData\Local\Temp\COokcIAk.bat

MD5 8417fa601204b7b5c9755f37514f17ba
SHA1 cd3ee762e1f958b663730890d9439045c7271399
SHA256 2a3067ea4ea23402166d6a75a13b5aae0e2f284a25a5e7d8ba29c51fc531228f
SHA512 c875185ea7a1f8c50308666681ddc857fe3d4d7c2c253177c713cc56e41a3fde238f000deab0ead72c87591933121487fa84121d5509b79925cc5c530a905b40

C:\Users\Admin\AppData\Local\Temp\yoossgAo.bat

MD5 907e6b7a870635a592c4246ab63c6302
SHA1 8e49afbef09123adcb2f4636392f1b2312d36c26
SHA256 79e0a59a08f4fb34041762bed2290c5e2735f9ab26590ea8b0b6e608b61624e5
SHA512 3b61d07fb38fa51323240f8f00d552b7afedeaac6d6e0d2ec7d8003db556ecf6a33fca6a6720d82f71e511786df0c736999f14e89f63406928d5c55d945b597a

C:\Users\Admin\AppData\Local\Temp\aIYwYAYc.bat

MD5 4e1f55f3bead90f9ac66b2cb8f8158fa
SHA1 cefdc55a0e850b7b856cf34a70c26c34ce4163a8
SHA256 20d70bff5828a7668cede769f5637b12426b272e8d64c9c43f44619674f10274
SHA512 b21bb4836b1f6e113f3f5c19598a34fc3c7ae51a7541294a7e3526e64ec04e2748c06263908bb2866e7f0e147e0c6699b5ebdd0a610fb05838a754742d577743

C:\Users\Admin\AppData\Local\Temp\tWQYEEos.bat

MD5 4749f4d34bc5424b3646fe161b41c0c4
SHA1 ecb8d70fbd013657e1a224f9ff6a3f3c59b5c10c
SHA256 3e13860692204150f863667cf494b1d23efef7c72af66cd3114af920ffc05617
SHA512 ec6fc3949dce8c4d4d5e517290a15d4af7eef3e696c3c166fe3ef5e371de13174ac911825270e06c6be49bca2b6a221df06544cdffab6eaf2c491be5108fbcbf

C:\Users\Admin\AppData\Local\Temp\vaQQUgQs.bat

MD5 166c21137b026666ec6d3e923133b7b3
SHA1 97fc7dae102a9fdcd871106e865158e189cdfac2
SHA256 459d06a86dd793c0b9e9e031398e592eb65346b8a1d4dcbb0c2bbbd5f9428643
SHA512 8adb0da88ad321f4ddad8ffdfeb3bebd45d58e4a1c2a8333960a7c2a47b9d2999fc4e14047b5e5f7ae776ed3bce5de1ef491455780b4ac541e4869c1c26c2db4

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 20:09

Reported

2024-10-20 20:11

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\ProgramData\VEYMMwoc\rmEEsAkE.exe N/A
N/A N/A C:\ProgramData\okMEIMcQ\KGAUgwMo.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rmEEsAkE.exe = "C:\\ProgramData\\VEYMMwoc\\rmEEsAkE.exe" C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aCEIossI.exe = "C:\\Users\\Admin\\OUMgYEsg\\aCEIossI.exe" C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rmEEsAkE.exe = "C:\\ProgramData\\VEYMMwoc\\rmEEsAkE.exe" C:\ProgramData\VEYMMwoc\rmEEsAkE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rmEEsAkE.exe = "C:\\ProgramData\\VEYMMwoc\\rmEEsAkE.exe" C:\ProgramData\okMEIMcQ\KGAUgwMo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aCEIossI.exe = "C:\\Users\\Admin\\OUMgYEsg\\aCEIossI.exe" C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\sheRequestConvertFrom.xlsx C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheSearchNew.mp3 C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\OUMgYEsg C:\ProgramData\okMEIMcQ\KGAUgwMo.exe N/A
File created C:\Windows\SysWOW64\shell32.dll.exe C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheCompressGrant.xlsx C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheMergeDismount.xlsx C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheOpenFind.xlsx C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheRevokePing.bmp C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheTestConvert.xlsx C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheUnblockSearch.jpeg C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\OUMgYEsg\aCEIossI C:\ProgramData\okMEIMcQ\KGAUgwMo.exe N/A
File opened for modification C:\Windows\SysWOW64\sheApproveTrace.xlsx C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
File opened for modification C:\Windows\SysWOW64\sheUnregisterOut.mp3 C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A
N/A N/A C:\Users\Admin\OUMgYEsg\aCEIossI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4180 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Users\Admin\OUMgYEsg\aCEIossI.exe
PID 4180 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Users\Admin\OUMgYEsg\aCEIossI.exe
PID 4180 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Users\Admin\OUMgYEsg\aCEIossI.exe
PID 4180 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\ProgramData\VEYMMwoc\rmEEsAkE.exe
PID 4180 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\ProgramData\VEYMMwoc\rmEEsAkE.exe
PID 4180 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\ProgramData\VEYMMwoc\rmEEsAkE.exe
PID 4180 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 4180 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 4180 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 2044 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 2044 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 4180 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 4180 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 4180 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 4180 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 4180 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 4180 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 4180 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 4180 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 4180 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 4956 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 4956 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 4956 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 4956 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 4956 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 4956 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 4956 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 4956 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 4956 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 4956 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 612 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 612 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 612 wrote to memory of 3748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 4664 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4664 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4664 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3748 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 3748 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 3748 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 3748 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 3748 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 3748 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 3748 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 3748 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 3748 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\reg.exe
PID 3748 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 4324 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 4324 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe
PID 1448 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1448 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1448 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2056 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

"C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe"

C:\Users\Admin\OUMgYEsg\aCEIossI.exe

"C:\Users\Admin\OUMgYEsg\aCEIossI.exe"

C:\ProgramData\VEYMMwoc\rmEEsAkE.exe

"C:\ProgramData\VEYMMwoc\rmEEsAkE.exe"

C:\ProgramData\okMEIMcQ\KGAUgwMo.exe

C:\ProgramData\okMEIMcQ\KGAUgwMo.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGYkEUEU.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccAgsowA.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOAgMYoc.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKQMocQM.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoIYooog.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcYgsoMw.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKwAkEcw.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WoEIwowE.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RiQQwcos.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUAMIUow.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEAgUkIk.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYwscYYI.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkIgcgoo.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awcYAAMA.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEkQAAwE.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NecIYcMY.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWssUoMU.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OSAwwQwE.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOcIUYAo.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwsUEIAc.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hksQEosU.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOwkgwUg.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWgwEcUk.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kaQkwgAA.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkMcMYoM.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQkMAAsk.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwUwkAIM.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pesoIwMo.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyYAgAow.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEIwUsUI.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUYIUYUM.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGMQwcME.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgQYcQwQ.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZygsIEYY.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYMIQwYc.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAEAsQgU.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMssYEgk.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqQAkwQk.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UasYAsEo.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YqoAkcYo.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyEsMIEo.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TscUowIE.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lswcMAMs.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WGIUwwcU.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqYYUUcg.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYscUoYw.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKUQkoUY.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwcIcIwA.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uCUEcgQw.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuYcMkIk.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emQgEAoQ.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eaIUwwIo.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyQEQQcs.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcogoUkE.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmcYkIcI.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmsQAwYk.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiUIEQQc.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGwwwUIE.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSwAkgQo.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWsAYIUM.bat" "C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
GB 172.217.169.14:80 google.com tcp
GB 172.217.169.14:80 google.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4180-0-0x0000000000401000-0x0000000000856000-memory.dmp

C:\Users\Admin\OUMgYEsg\aCEIossI.exe

MD5 f993b6e5d3ff533fef8555f63f588868
SHA1 ef93ebbeae103a40f4b088e2c306180edc8fc391
SHA256 bcf42f0436ef4b4025dc5e6e664aa53ad2dff660fd47b8f0088e88de05cd3611
SHA512 408610ac86963de68f0eb1a5b1914d58cf7cd683a8aa8b62503d7305e9847842352c98844bfde84fb594c3acea7dc4b566fc83dc994f0c6355d067c28ec3609a

memory/736-9-0x0000000000400000-0x000000000046F000-memory.dmp

C:\ProgramData\VEYMMwoc\rmEEsAkE.exe

MD5 707b2734a05370e913b083854d05e839
SHA1 866bad3a6a6c99ee4856944ed4534f50f738d850
SHA256 9628c29c5d71441aaad4dfd4782d3f7cb4b3ed6c871a1c596971a25ab7bb9ada
SHA512 b1005a634a1b37d9bd6384e7a0baca413a299d528c88a768f864f7b37440446ddb1a4ef8b223967e1d31eae096fa9b7bb3e075539dd28d344e7008c3f5119a34

memory/4496-14-0x0000000000400000-0x0000000000470000-memory.dmp

C:\ProgramData\okMEIMcQ\KGAUgwMo.exe

MD5 37bbffa6a0ba578c80ae6c2e1cb72032
SHA1 54aca344bcf42293a139058bb05d77de137bae2f
SHA256 16a43e02edcc6c33148388a2e5cc34a86b3550433ad69c7697a173757039fc34
SHA512 aea9c47136dfe90e573638b9c1e7da6980396392ea8d188fb74fd2a9db2088582c22a352934d1cf3e9a0e72b46a8e6391e913f3d7de68a08ecd20cac53fc04aa

C:\Users\Admin\AppData\Local\Temp\ed12976c1d2d586dc8d84a82a3b25b87ee6cbb340465d25798b9e741058ae9abN

MD5 5bacbdba9af42150c27b1a182ba169f8
SHA1 797fdb039b9fdb9d271119376d50a4e532bd6c68
SHA256 c30cf61dee7def852eaa738aff1f63b6a1bc59de7f7599fa11ae685d46b55835
SHA512 6cdf90fdcab3434b2b6b610b2daba58b71feb8f1394c89e6c6f9c424fe9351d50660fb4fc459b52352b77fdf3573edd4f13bff51078605972e711927dfae23be

C:\Users\Admin\AppData\Local\Temp\bGYkEUEU.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

C:\Users\Admin\AppData\Local\Temp\YMIk.exe

MD5 13329c518af07e5dfb3b26ae8a15e38a
SHA1 ed50aa6f25294d7ec5c5ff5f279f0435f199a5cf
SHA256 272a0e0751abdf557186de58588ba27453b23ac740383b456b1ba7cfe98bdce2
SHA512 e62550235f5e2749f0e2fc2db46a85725ee5091e119452e44611c9828362695b55f7635493cab50f08d144e466854a8926b93533b144680693dfd2b28cef547f

C:\Users\Admin\AppData\Local\Temp\gcUi.exe

MD5 0bf00a056f21e23a1738e55f27ec7698
SHA1 7427bb443e9fd617a5f1b93e820de5467450d53d
SHA256 6bb84a4f73931b3792109efe66d88224e735a1d7bd5612b1266909552c8c5b22
SHA512 e54e7de460dc9af1baa9a1b287eb79db5285636166774d9de0e6ff26dbaf7addb19908dbd797764aa5243580d2c639a399195941f314ebcbb2cc762bcdfbadbc

C:\Users\Admin\AppData\Local\Temp\MYwY.exe

MD5 9675fa92b19fd13ee9bf05fff8132707
SHA1 063117d79dc895dc9d38659e9a0e1725a8e06e8e
SHA256 879be368eaade4fe670ea79acc446857f0413bc881e1cf1fd82b274f0075faa0
SHA512 94abae58b77ca0b960808a8bffb46a695b0d0f155369c4eed9f36589362b4808037d1acd4770a643872479a50ffe55a97375b4d85cee3b545a5654f54be710f1

C:\Users\Admin\AppData\Local\Temp\wKAc.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\yIsG.exe

MD5 5e52c90e0c6ccbfbd67479e3d08c7815
SHA1 1ebadc1eac742163160049276db11f0efba1029f
SHA256 59e3f234e8c327d4a5cac1c3271649d10a108a8942e530e529b4207dce0e4903
SHA512 97b073cb48c7cde0c2b2a1a2c4c2f72c201f0d0ca89c0f3642ba6aa94113560823d942c71007adde8409ae7cffb9876cb3fc6011bd0e64019f80f461dd33f58d

C:\Users\Admin\AppData\Local\Temp\kMEA.exe

MD5 a54093c9c35fcd287eabe2b8e2c4feb3
SHA1 3581f3f5cd014eb9ec943f8fae327539db66630d
SHA256 70e367785bb8e120872525b1a7d2468743222fc7e90ba3784bc521622f9e1fcd
SHA512 cc3af7b5ce2c68a50db0aa35fc42209adc01ac8263bc25053961603c2d3d4f967cf7cc96609a2dbcab6084bf844a18452353653672d41dcc7524f2036b714e9e

C:\Users\Admin\AppData\Local\Temp\McYY.exe

MD5 5558c9f50eeb0aaa6490d7dac1b8fb81
SHA1 8ed83e0fdf7a3dafd5af7246b78f43045b9009b3
SHA256 a8c28caf00463196e7fbf734403c0733969769d229f8a79721adf6afe77b675f
SHA512 e5c55cb5d2d1c857773b46b31482e3b9ab3ba10f7617fde7fcff049a42d5030f61903f7971963b1a915d9423ef8f027de183f18bba3cbbb89faf4492f6de2631

C:\Users\Admin\AppData\Local\Temp\ewAa.exe

MD5 67d80e21ab1d81c105a93ac8a05d9731
SHA1 d288ef66e20d6714ec374bcf022840d22dd0c11f
SHA256 e02b2f3894b03457f5e31b13a7221df4e3ed3fe6b1ff965b2486cc9a944ad7f7
SHA512 090e8a70834a74c42de438a276da0a26d99c337875be91c88464793f2d599d170a530f293e1d8046508cb50f798c6108a8f4e0f6a061847d4ad83a88411c63d7

C:\Users\Admin\AppData\Local\Temp\WoUg.exe

MD5 d6dc3ebb21161746c9a86fa80b154ed6
SHA1 21c0c0766b9ef41e6a6af0c36366cd0e2b28434a
SHA256 2eed53ca0efcd8371835276c302b1494cf5868b778e082ab65624f59f289f899
SHA512 f360ee1dbc2cb73bb6c2ff5f4c60e392a09ab68350b3a59bae057a797c2310b9c4a39a4e24271a0ad67cfc125b147a67b34274faeb648de7f68300dc5f8f41c7

C:\Users\Admin\AppData\Local\Temp\YYgo.exe

MD5 7fc639853cf3e0c4e73e0799c502b0a9
SHA1 8b819ed18075ad7bb2f76ade3b3d8415bde1fe2e
SHA256 9b911cf2ce452b46e383843da19509e2f643b9685f0239b2b628b13f08d3f800
SHA512 4dc96fa8f83071939bdf8bb109cbd9a82591d38caefcf9c2b36abe19caf0f5bc9f40ed782f814fbadb1cb0e2f8487a05a181a7a02b830ae4f39f9ba30881e6d1

C:\Users\Admin\AppData\Local\Temp\gowc.exe

MD5 9f9299d4367c9bf488b6c9fcc7718ac5
SHA1 31575ff14abf28b8180991a714dd8ebbe3ae137f
SHA256 d9ac664384ff963683ed652b2d60397a563e3b4ebebe65191dee829f01341f64
SHA512 eda3d9c80f9b109ff512735374e84d8863875c3f744312679f847c0106df8d9d52c6e286d8f8c54609f8bbcf7ca222a0bed5e511b1233ce2d5e99829d7fbd1c4

C:\Users\Admin\AppData\Local\Temp\WIcc.exe

MD5 5d6486117efdbe1b9601b7c02e4766d7
SHA1 591b3da48f21bafe108db5723024d82bcd550ec0
SHA256 722bb5a57d1895edef0553284784b41b4ecf32e74215b68a6631213718b65ca7
SHA512 b6609229050a13427e7679943e3000d9e7f30115499a5bb1a5537b15ee031c7359d4d3daf241e7f3122014517a68ed86d1f5a98a1ae637fa86799cbdcd9fa521

C:\Users\Admin\AppData\Local\Temp\gAkM.exe

MD5 503a829377dd60df018971aee1a16cc5
SHA1 421a00e718a185d2a801008917eb74c17e211706
SHA256 77e7df0104d42e7ad03b6f585a3c149a3ee807ddeaed9188419841c0703fe3cf
SHA512 2f08b0084904c4f0f6260b11ded51fd7de4962bd58d39134a88b3004fb03dfb29cdd220f0c6101b44edf40f455d576e42af8b48638841a2d37bb217a06161276

C:\Users\Admin\AppData\Local\Temp\YGsw.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\OUQK.exe

MD5 b053c240eb9e750777ecc487abddd33a
SHA1 f7da92c541dc1d7f441536ea5dc3af4865064225
SHA256 bf73f14ebe909a2e4051596f02f218282e99192632e21492ddf9aea405ae9786
SHA512 bf6406b84e55de25e690437ba5c46fc59c0174139129f9ceabf691122dc271e8da61776279bc181d5999b831e4eb90b285819e4146f5a27a0eb837e19bbf51bc

C:\Users\Admin\AppData\Local\Temp\GIoE.exe

MD5 e10d62a8c1850a999cf45303696af334
SHA1 a39354bf560f6baf2e17753a110898f21be547c3
SHA256 45978c7d41314a79614cdc6efdab364dbd7df37e83f5a79b572420b507c8dac3
SHA512 020549fb601591e6a2be0266a18fde408ab26ba7e9654f4b3e1f858dfd32cc1177e36de4af53d1c31c25437156757bc1eecfb7683e2840939d558922c10c0271

C:\Users\Admin\AppData\Local\Temp\AIwU.exe

MD5 6e9bd2a8571126a0cdba55193b070483
SHA1 f2e80bd9c45d0d21118b7e7e83df2511a68089c9
SHA256 f99b1ca566e49b43170a305a2e0f31c0943fb8f4217253e92af17e96e1830d88
SHA512 62a909603beef96dfbc2832219f8c9e720e028cba371b5b957dfcdeae330e82923b6a81af3bdc0bc996cbaa874d63f6c7604c75925d47e8f160da99b055fa7f9

memory/4180-348-0x0000000000401000-0x0000000000856000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UgQo.exe

MD5 b8fe77b6707043bcb2505a64836be9d7
SHA1 ee12b19ceb90118959777dfa3f2f8cec9e114a10
SHA256 f8b83586e94e38465beac119baae2e6fb960f886027424e550ae10cfad75cf29
SHA512 82dae42128f891d803ca899c757ed49e045e323b5cd42bb5c246550f4eb3ecd5ce8cd857ca8220193ee9f3ab333a068d79eb26de09d75b74631c3ef1edd78988

C:\Users\Admin\AppData\Local\Temp\wMwO.exe

MD5 017c149c18592c2db64dc6fa685c211f
SHA1 4c256212580e0e36245c583eff367e2ecad8e65c
SHA256 4d0b1ea1977d66efe9c3ce4e5d269d355cfb2cf9f19a813ca1cd772069c0fb61
SHA512 b46cd9f0e5b1339440f7d6144d5c74c8657db8393e136a2a6406e2b9f4a7380a73772da87c99b2b72c27d0e77257d051af57e081ac549669bbf31024d31decb5

C:\Users\Admin\AppData\Local\Temp\ycAO.exe

MD5 7e2e0feddd9fd25a3adf617fdb7bfe0d
SHA1 7b4ffa591ec0206868ce9f15799ec461e8f32a88
SHA256 6d7ed13559ce49866c287678dfb0f42ae8645e5fcf8615c2b667c102bbd86edd
SHA512 90a82358b1f5d405e37c869017a568214ace9887bdacbdd8a74618751d213381bb41853c4c02aaa11f9cd7fc26d03fe053df33d51a6417ec78a14c05e3240a57

C:\Users\Admin\AppData\Local\Temp\GUcY.exe

MD5 5551c8557ae4fd0369d7600eef46f888
SHA1 4ff786a175930c4ae105ef0ed8e5d3851445cf51
SHA256 78fb075f4651e975797e0e99f6f3d42d1b41b717abf531ec315266cf72f91ac7
SHA512 d52c3d9fa4e4a6f2aff0454af119ba4c6ee7cd79a01b2dd52b345a0b4daf34bccaf2198c9efd23e3bb793735a16154fb3201570141b7183e7773e72a023952c0

C:\Users\Admin\AppData\Local\Temp\CsIO.exe

MD5 529dd2d47a62cc8430f3b6ccfaf0a38c
SHA1 48da8eb8a2d2e430681c009c3f04a14bc1620ad4
SHA256 5b31f98217ac1f8105a35456f58355b93d09094f371b0dcee35e5a916576c432
SHA512 7e8346133f71b30d939d8f87602aaa55d86ccb882914ffd651b22db0e35dc3743c0b092c357984abef127db4252a8aa0d953fba7b8c2c422be71807c240192eb

C:\Users\Admin\AppData\Local\Temp\sgcI.exe

MD5 5e508010027215639e66332bd0e20d1d
SHA1 0e9ce19df0fb129018f26158746637c5e7965c7d
SHA256 adae4bc35cd028cf7fc6a0492f13c98cc1a16603430c7db5441545b25dca957e
SHA512 6444397b64f928054ea0c6e415fd1f83634472c871481820d58a4f91d740865763382637d81c77ee9934b0e9463ab6a99e6ccf3ec6db133a887e4e809ae73ebd

C:\Users\Admin\AppData\Local\Temp\AkEC.exe

MD5 d4cdcf27070cf5b296b8261c52aadc30
SHA1 fc3694a6744f3ff88c200bca6333e9d45aa74c12
SHA256 a3b22f25be43ec931dd0f657993045abdffe1dc65d8aab9c666ae9ebf9837472
SHA512 cfdc131cce89852e7f3e7fb72dafb2a381fd8739183f143487307556f1f355feb9b82d02272fa2cc5870e4628bb871f99329cd240980f01ff9dfed6ac8b96cf1

C:\Users\Admin\AppData\Local\Temp\YoMw.exe

MD5 a53bae1bed3cf1d08c8e1022b7464d78
SHA1 21a9d8d8cf1b5f45a86eda01779a16402a543298
SHA256 48a7d83fc0f5ab2765d60e86e4bc2aebc35f7412f84934d858f4695aebedbb78
SHA512 1b6b703e591b8d5e7f438a09d9bd88498f759ba7a758aec0c27d20f11f2f0ea94444b914c612b90240f4e5d40583e0ec97e87f096c3dfde888272c5ab6aa6e44

C:\Users\Admin\AppData\Local\Temp\kAME.exe

MD5 4de645e511ec2a2946fec63104a160f3
SHA1 94d19e1399a9e6aa2e96fb8c210cd14c91af8ff6
SHA256 4b749fe9f243639e0fa182f9ce9dd9176392e56b69af4580e249a477eb042eae
SHA512 2e4a5695c0c8ca68d7b7e82d5ca8a85564d91ff1f81b01eafd8b1e8f52fac5ecd5d90e37453b411aed17f6d228257ce0d9e6509333025201ed85157ca4280814

C:\Users\Admin\AppData\Local\Temp\acYY.exe

MD5 93a8481de604daf3e59420a776b3a50f
SHA1 54f45981954ccd4ea507bb535a7d33b5c59381f4
SHA256 16bafb5654764107e580a9d7d5edb8079d6c43663c2e5bdf551cb1270e5d9f62
SHA512 c24419f14ad7a8dc8325df1ee5bcdc1d523894c443d0de02277f9a039a07a5869eb56786b8629aba4b77cccd7d9eab1fbfb5f0e22b92a2a273da375726f761eb

C:\Users\Admin\AppData\Local\Temp\ygkC.exe

MD5 84880de1e0daacba51dfce47c9066fd9
SHA1 7459bfe0231bcdcd5c38b60814881509c600d378
SHA256 ef7d734b5171ac88c504d748f96a231494baf3b99bae599d95c6118c93327940
SHA512 870819c40e5e803d774e8bfb666e7f51004aafa9e415d44987da3397f48201378f4f93013004e6a5f21e0b23dcd916918c29307298edbe2913bdb6410a612943

C:\Users\Admin\AppData\Local\Temp\GUUO.exe

MD5 91c6ca1b8ba8397ae562caf5f48ad5d2
SHA1 64d541b5c9fd9188d23e4fb06966cc35f4b02569
SHA256 8a1733dbd7f8e0a8007dc87e901827adf95b9949251747d367a9d7728f2d3060
SHA512 a20f376008de00643490ed0dbd05422e75588f24e15a04e969fbb99e3c171040c98f618acb4c158e7c2de2fdb9ad72c409689dafd9cf97734075971bfe3b2679

C:\Users\Admin\AppData\Local\Temp\qkQc.exe

MD5 771202a5ede03e504167d74d3484e12d
SHA1 36014a08e41a6d7a0216b22eef79eb74e3e062f2
SHA256 f2cf87b88f88b79c7501828471a07df94450e5421dc09cdab0484c33619ba7cf
SHA512 06072cfb8ad78aec60f4195be99d7584e125dcb5a09de7dd71e4f0d8fd14b1b8031027ee0187b1bec926fa09f10929fd359a51a3586aad3e01f678eac58d6279

C:\Users\Admin\AppData\Local\Temp\YQIy.exe

MD5 08e7b735d57e6f4810e996282f1e5d07
SHA1 7f339d7fd93dd99b3d9602e9fb3265579a106011
SHA256 ed81ecc27e5d6627603c377fa679662b96e4ff671c349807c76d284afb741b89
SHA512 366b0f1a1c8be3116147b18843901c642ffebdd0b218aff11d82bf911be45cc4ed45f4794d1234302c72a72e24b1cef6fc3caf4fcd298c9f083fb480d6cdac6e

C:\Users\Admin\AppData\Local\Temp\AsEc.exe

MD5 714d8a4c173595e21741e4e11d241a93
SHA1 5f91eeebf9da1c51fa3d6ead6b16d354ba02a76d
SHA256 1e37a55f157df9155a231aac7713464e8f7e07f4af1b6e6fe1278db2c45bd162
SHA512 80b76bcf763c062f0fb2267037b5901e72766c7a3aa020644b2a31718c7dd2977936065c45ca4240afaa434bcc8bbbf2d0cee94a2ce9be2886f4cd1612dfd7dd

C:\Users\Admin\AppData\Local\Temp\mMcy.exe

MD5 c70e56327d6b7391e25ab446f029eec1
SHA1 2411b5a54edac4dd84c897de164c0b7d54eddecb
SHA256 fca51f9951e340aa5e9e1d4853b018ef9fd6400fb2f42a0496a8bfe6eb0ffe14
SHA512 918f0fe0a15d214fe3310f2b94fd376fe25be9e546ff0172d5cf3af5bf72495cd3ed0c1c8a00a3871e70aea49061d11c38375300df7c75245b6c4fcf1b79e486

C:\Users\Admin\AppData\Local\Temp\OssG.exe

MD5 4b2daca198b2aab982fd9cdbad68157c
SHA1 b93b5ab6c9f1dcee28f99fa60e3793e18918299a
SHA256 aa0447f1f7e738112e80310eb42d54b7474d7e1526415fbe878db950adeb5dea
SHA512 a4c8615c6bbe3a45ddfefd63518cdbe2a710374bb1d650dc109e5d541083341eb843d2d90fd1991872488b83197ca21c2a21b7cb54f77de1d02b4342612df48d

C:\Users\Admin\AppData\Local\Temp\IIQu.exe

MD5 2ebbb7447fad8318f08f0630b4e421bc
SHA1 ad1e8facdb7fb9485c9165ac40dd3aa0e095a4d6
SHA256 5735ff27e943c5652997b14831063ae6e479e17bd9f8ffafcaa3ded24a71f0ff
SHA512 fa280832662c098515d50cac7e92dcdfdd7874108dc624e488c8a91e41500165b3e1e545d92ac44f5afa64c9313f9e32a1409de278225655961dac5fd19fa3eb

C:\Users\Admin\AppData\Local\Temp\csow.exe

MD5 10cbf728b8a8a330cecbfe262d9d0199
SHA1 c71b28029b436999c0f5ba3e4db7be959f9a589a
SHA256 77725b30504d969cd82d88c43e3d352b592e59aabf263d8f7888cfbe8fb065dd
SHA512 317417022146689f12ce0f0d19d783632b1a3f9c1eb6f54678a7c5efbd114f8e5f6136f54398912d55bb48724046fc6e651cbcdf6626c8c56954526e48dc04fd

C:\Users\Admin\AppData\Local\Temp\skgy.exe

MD5 7fbe971e2cd4d691cbad7c5ab748af90
SHA1 063f575ed9c3e7e8aada2a09f91a6883e164e796
SHA256 3f4de5ee65d50878f2ca45a6c71d8fdd7169fb1155a8f896952a38181035ff02
SHA512 18a69e22af21ee951367d4c64b00bbb0e4c376f6005957a2f2f36436bc766b50f26fac6f3ad7e931f1516e3fa57e501456555ea50f9bc917586ac257abe9872c

C:\Users\Admin\AppData\Local\Temp\mooc.exe

MD5 207a1fca309a4e93b011af57512a414a
SHA1 1773e747ddef1f2fb94b7794e3b692c780a94f15
SHA256 d57a4deb0970d82c1ca73a9587f02a35a066eb6044c5a3e15539d7c2ad2246be
SHA512 90d59c398606ba56b2d94cee34a468ff8afaf60f0cb2f30893a7a9ecd81b6659889d9455a288115fa9beb45039e9520e7bd2b8cfbaf5fb5cb849d15c06694ea1

C:\Users\Admin\AppData\Local\Temp\kIAm.exe

MD5 10a88b3a759fc2c4abed9c4a3dff33aa
SHA1 5c71675f096fd8e5bb6b1c03e7b34e35067e3f17
SHA256 7147b6bf51358026c662275905808eb9abb84fbd461dadcae19c05c05afa71f6
SHA512 90777651f6b75322cb60a6499cad1cc37339c061708d576d40a75112cdd1f43506434b2f579d190f8f80ed7f9d4ebb67ded2136dfa85b608932946f8d9138f6a

C:\Users\Admin\AppData\Local\Temp\Egka.exe

MD5 01a120e8bdb50d3c3013a9a08416450f
SHA1 f9ee34b953c4a7c0181dea32f6fc0bfa28be29bb
SHA256 3ea592d30f1e0f633c52db5c33059f7c9d272906c1f3d64f63fd5aa2dd1e4a3b
SHA512 8995a08b229a736f026b0748c5d55ac149c71c119ea69eec811bb943bc4670bde090cb2cff155835642d5a92ddd5e15f91ecb1c39ba7770e6274bf50a7f0e31f

C:\Users\Admin\AppData\Local\Temp\cIYI.exe

MD5 3c716a4275952c266ab01cc09d9a5187
SHA1 af6e97abee89e3194d0aba13d740bcfa8d5ff17e
SHA256 b3c8335b821f72eec8e7bd50073ae890743bed1224ee02f20142c56c36aa3bda
SHA512 52d905628874fe73c773b159820b4a0ac422042f8296692d73c6aae62c422a1d7b37ca0ddf47caa2400537e74a433dbed1fdef7c3829f71146c94c1b26062050

C:\Users\Admin\AppData\Local\Temp\gcka.exe

MD5 ed7965eb11d8e88531caa0975b5a7985
SHA1 c7ef02fbfd4ec647e3809bc122b9f19af91c2362
SHA256 e40a759566278d1ab0ade507525335982c5108a9e9332fc99828c384a45ba52f
SHA512 714b7a2b1189c04b510a0cbb2a8740e208292a5bce2b746f6b9a8c338630fc7d1dea20889bad5226c1fb9ba3f2e0b2848fa036831ed03690185c87e70a62bea6

C:\Users\Admin\AppData\Local\Temp\IoMK.exe

MD5 caf5adc02497b70c396579d129a913a8
SHA1 1eb095ab6ff5495ff8e569ce56dc859ed5477aeb
SHA256 d55ff77cd0910bd5c524f87f21b527bb2a742eda0af27f3a72c9365d235ab518
SHA512 39b4254822c907677d55f2dcc60ca4823869618518c2f61f849fe425942ea3d191c800e28afed23b3d824aa32c5a05d3d80d3c2c5fa0ce9aed9b155c337328e1

C:\Users\Admin\AppData\Local\Temp\MMQG.exe

MD5 84079bb618116bd67bbf7ce0210735d3
SHA1 5fb74a9311f4edd5d7826b39c87b59d1987df8bd
SHA256 df14165fd53ba81fac9f0a2c42fcc7658efbfa6c12a118a9e0390b6bf7025ba0
SHA512 b3f2b8a5781ba5beed2bc89323aa424097ce7c0f549ef6f642e66de4e805b0ae93e88784031dd4893a65b20655ff9faa914ef98cfe23cf199b5a5c412245ae10

C:\Users\Admin\AppData\Local\Temp\Ucwi.exe

MD5 675ee38f04c4a2c736335c5fb0abf3e9
SHA1 cafe6c407936d5214d36abd3239f517a1a16e94f
SHA256 512c9c44bd5676025e9f2c670a0042d28791807a218f0c30b229c93cca0acda6
SHA512 d3030b447a4cc2df8ceafe77b8a38114fd2edf4f7e7c5c4280b6ee352b0e7580b6298a8be4eed588a2f089f764b1d4da90ac1bf302f315374533c77d344ad728

C:\Users\Admin\AppData\Local\Temp\EEUy.exe

MD5 00468e6d4272323bb13e1493c87edfe5
SHA1 f934e3a57dad1d759355a60c789e7c5bace2f223
SHA256 014c3ab750f06c207f193b2610332b1b0ae531184091f9c087c8d4c2cbeb071b
SHA512 574f16e9a4859b49dad1906a375ff2c40f076ac7df484a55476b4ad184e15a5b4664907374253075ed72cd447121abc9bf72122421db2c834559619e065e3ae9

C:\Users\Admin\AppData\Local\Temp\YwUM.exe

MD5 bc8dcd0eed43777411579604576c3536
SHA1 3a87b2ca37a3e6d43ee0e293b0297515bbadb1ce
SHA256 986ef71c7089d1e3f3e107a09ffdcfa05e2142e381670e755029f48abb27d895
SHA512 2256b703d388668e5b5fd791f416b109c6dd164d3f51917ef5f309a14d28f94ed8835617bfec5548bcc20ca3ec72ce4af826bae88876abb39982d1f6b4c068aa

C:\Users\Admin\AppData\Local\Temp\uMMu.exe

MD5 5c054e43e9db7a8360e34253ce0692de
SHA1 4ab785be1ec2918b2349e55d2fb9dddbdcf65647
SHA256 2828c98d6e7d496103da63479004f3601dfce7fd7ac37452b1911084ba04f912
SHA512 530d07b8cee2efb76c7ea70a9d4c2a48234c6b3d9e855a9c456ec20752ea99a0e81f46efea1455dd1d77a9afb1cdb952494dd660a4b4d6c6999d9e8fcaa83faa

C:\Users\Admin\AppData\Local\Temp\kIwO.exe

MD5 3b48d23dbcaace751e519b12071fe83a
SHA1 04b9a65d7ca6ce186c393b2848af19724d33606e
SHA256 139bf9b2498599b5c88084b77df399e636831c187955e25b39d72f00a2a4bfb7
SHA512 78184e3f1d7b0242373b14dcd4360349b0509187256652134c71f9320cc0aceffba23168305d363ed8b106e7aa9a4eea11e4a5a699e67a5d6225d6f30d9c6869

C:\Users\Admin\AppData\Local\Temp\QgYS.exe

MD5 56cc954dad15282177ea07c6a0306c4d
SHA1 442e58cd78ea41062723ce948b65964023c1f4a9
SHA256 2ecdfa8832517480c577918564b1f6650d635f0ef1e2130e161b40385c217ff1
SHA512 195fe0b0c56b12247a8170d6931f8333cf8ce7702f3c0824a79172c3a4295cbc5f2d62dfa366145d05682fe3f60d040125a282af3922e6d5b4c36abb0920a0d1

C:\Users\Admin\AppData\Local\Temp\MQEc.exe

MD5 be7b7fb1f319a5863016414b1160f764
SHA1 59b62f95600e2af6785afc8bac16bc739e998a62
SHA256 144be63614a3b976fbf3a0ff4fa6cb1c350069d6f273ac6791932d53d732606b
SHA512 0035eafce5acf31458e1294d4651686a7e5850ef96dee9259fb641ef47b3465e04c4e7b49e139c783ed0672c773031acc4cc18d9c813a05121f3a387f70e9738

C:\Users\Admin\AppData\Local\Temp\YgMq.exe

MD5 d5340b90c7cb517cce88da7a5b44a527
SHA1 7fa22a30c9ae2aa57a289859ba5a7227628e13fa
SHA256 3fffe19b307b75dcec74dc7eaf98dc1388e8a62dec72a88720037f8e66f538d5
SHA512 d8868343d1b76c8dc1b0b06e0953c9c6d91a324a0fb42eb673d8ef67cd2298de2a83668733e5676c2a31f74294d46da838d67fa24f2fa828a201469b6734d78a

C:\Users\Admin\AppData\Local\Temp\aQsK.exe

MD5 fb5775dc32cac81510c59973ac8c1d20
SHA1 1b7e31f97c5a323502d8b8737be93c32bb67c28c
SHA256 24f55b17bd4d8e497c0ce3cfc04f62a34190cae62cf1cfef36e70211187dddc3
SHA512 b6556e92418c16729e6d852aa720274b43a62ba3f62e5bf7685c3c1ba05e01102d495746e8865bc89d361c166d29b47b174c6985140a581b92bd44bfb0b9c4f7

C:\Users\Admin\AppData\Local\Temp\wcwm.exe

MD5 068bd96b4667dc4dbe918198f1c08480
SHA1 4c43618a698f89c19c09de53b32e80a4edd4baa5
SHA256 a574e4e898cc7d962602b1bb4396b5143d4b2d49795660531fc1fc25a8276c74
SHA512 0b9e937efbf22336fab32638ab4159315dbb09baa7ee750fa130e9d9e5a82c02b3d3c64e115dde17697bf37fa0f25c74ef12b1f87996933440d22168db13c6e9

C:\Users\Admin\AppData\Local\Temp\CMEi.exe

MD5 739db3f4e5ddb8c3f851d80ecfb3e735
SHA1 99b66d48746f43aa1d2fa5933a41c63e14609d11
SHA256 419b53ecc5d9d4e55aa70703d6f72bdcb94261cca6d7619fcd4186322007b728
SHA512 0e6b10dd189f2606b6179eee95c0db97739bd13803ab975f872b5b282c18b357b6a01c63c4af04c5cdcde5e6a8e9e6d8ef9a9dc091b7ef3c18cc410559f2973f

C:\Users\Admin\AppData\Local\Temp\gsgm.exe

MD5 91c0ed3f0175eeda354a52d0b2a1ab76
SHA1 60b4939474baa6d423e8962eb1b6dbb2adaa30d8
SHA256 623b5f9d491f73f477358351099409e86bea42018644f46259c1da96c13e6eb4
SHA512 a232fd8416f9a3f1344bec417007a70062b51cc700c027b999d3a2dec3f483584118df5cfa8a095d3d001411bc9ffeccdb6d2ad7c70fe08c60910492d1c4b384

C:\Users\Admin\AppData\Local\Temp\IgEA.exe

MD5 ac4884e8d978ecbe73f6284afbea10f3
SHA1 2c328cfe740c94867e437cf32559a6153da12b0f
SHA256 bf0309ba15c5ead28124bab1c28a4b2d0a0fc11e1153daa479f6abecc01bb3fc
SHA512 d5c8fc591279835d44af12301f3e31ca2b56c8a6b228cffe267d80d477ef6a518f0cdca22ca7181db74e88a58e4c3c298ccf105cce133436b7074bd0c08b21d2

C:\Users\Admin\AppData\Local\Temp\QsAG.exe

MD5 b7fe7416a95424962e85f30b572549d1
SHA1 81ad7cca391a640a3f8bfeb98c27fddbbb0311bc
SHA256 913c71e8ae49b516d79b9100c95950b8fd14d8355e07617562deec014ce3c29e
SHA512 2e44c537f33680d62481beaf2b4f2b2fc499752f259adaeb9011dbbcda443969ba7d021918e6ecd18135b57a52e4a5d0e2661c0ac912d12c644a0bc1fe2c6b95

C:\Users\Admin\AppData\Local\Temp\qccy.exe

MD5 15e08d3c68bc32db9d25329af0451656
SHA1 3c1f2312bf02a7ff6a18e9c9601e8a326c31cc86
SHA256 6ad6e5c28aa1e24d2b8fe4c5831ac0bb831f7b66643a86c45b99ed22deac175f
SHA512 9a0244fcc6b6d274c40c71950ee9ee9a4d5e741404ea7ccf79d98a240cd6080721cf814a169282391705156b094c33680c911ed600ce3663072e54808749fa48

memory/736-985-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GMES.exe

MD5 429ea5c874af375cfd44a875a8be56e9
SHA1 e788384a6d7f9eb805c3879a35e179ac818dae06
SHA256 0fc1eba09710140e51df181dbd7012978eb6cc0fdcbcc5c104f4533405da4ead
SHA512 8a59f053285665afc9c67c7c5cc8b75cddf8912b4ed8dd4d8f122ef27412c36b07cabd21988efb9077528e1f2fcb14ac16f0d9915ce9e9c8d52f77fe21b00009

C:\Users\Admin\AppData\Local\Temp\gOsQ.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\yUoE.exe

MD5 875c5980bab36edb923d7cb4421696ed
SHA1 a522571ddfbb19e2fb0c4e5ace4895a297b36b10
SHA256 ea7b6d38fa38bc60ae29607d91e6497a2f10598112405125fe2ff1c8f40d4bd2
SHA512 63822098ee92fdf207116557b3a6dcd4225e08f70fee8f792e20484b9ded4a0e9f22ed76d73f798fc39d2cfc4f67a44bc937805a17eadf23de8427c6f6644ec8

C:\Users\Admin\AppData\Local\Temp\MwYE.exe

MD5 21933867d08daecd75792d4fe683bf70
SHA1 52517b5ce93d4e3134c7d36fe39f44c06d23cb48
SHA256 24d88c98c40d5c42ab8054b11f6fa7021eaeb2483130dcbd4f75f6d409ba76d3
SHA512 8ddd5f73960426f05c0d37a7eeca0ab7c9d0498b18fdbef4f71eb926a3c51d98aaa90743b58895e7dd302a7c673e1ed04e399ff0119f868419eca418f2e3a025

C:\Users\Admin\AppData\Local\Temp\gMoi.exe

MD5 f998ba11e55ded8e902f40bd46d513ec
SHA1 8572a642da469e0fc2a161ecebda1ebb64e574b7
SHA256 1c44a66489b002b1690b11d2c1f25e7993cf5f22652845ecd20ed3e5ecbbccea
SHA512 8db6a67fe6fac7a2e2a4b026326eba088a8f855922e05836218657e89d671af33dbd6782251840b3153e63e1524ffacba8ef1a74d86286aad717e56ea42d3cdb

C:\Users\Admin\AppData\Local\Temp\eEoK.exe

MD5 f5eb62d31b58fe53a55d58f8b622d964
SHA1 5e50f5dde45da747edbbe77882772ead57dc17ba
SHA256 f3df7ada64cafbb3ac4e75461b20341a7184ddef5df1fb0d2940c6f484a36bf9
SHA512 9536dd05d6ee6c0be0a0ae3450d9f19dbc9a301946701558a599777baf6aedec96d6123a185cf6262450c73617785d6af3ab7176794735b03e2a3b80381ed4ae

C:\Users\Admin\AppData\Local\Temp\qEQw.exe

MD5 fa67981e91f98460ff5869deca443c57
SHA1 590039336a5286f4113db48751555adcc2a24e92
SHA256 ce37aa8ebae8dfb97e46febee7af13b03e3cf0ab8c945634aa70d1fd6d36bf2a
SHA512 02ef059541b3ecf08b9c393d2f234979e22cf39a86eab4cea071dabc7f29a57fe605ad012145a8f5ae268441d7b23bba68ea552a5df69673bb326d9d5f6e7ae2

C:\Users\Admin\AppData\Local\Temp\CEEM.exe

MD5 fa7a2feba8cf54d5dfe7e3c2b36bf557
SHA1 f74ac086e4f9f786c5fbd6a3302616dc876d055a
SHA256 937ab82159d63d000493164973d70fad8982cf7c72e1289b98430a0d5f1f59c6
SHA512 64cf13f1d3911af40a1094f35427c833ef4aa158c5cd9490ced85e80fef2a79575947dcbc693fe9e93c766fedd5feb8fbd93434740ce352ce18ea49432b9a569

C:\Users\Admin\AppData\Local\Temp\SoUa.exe

MD5 5f6f7af31e529bd4034213fb4736254e
SHA1 f5a3e41c98fc52e6fcc58f0a0b09bcd386ef2e15
SHA256 1dacfcb75565e6306eab9c5ed2638d324c7e324c9fdac940c1aa342d6f181a9e
SHA512 85c4860f4a097fbc950cab06efa1fabb4eaff6c32f1a1aa6c83f04c505a123b27f3c527f91954a11fcec44815f6c1cb265886f9338830ecd85a98862127e983e

C:\Users\Admin\AppData\Local\Temp\yQwq.exe

MD5 ec24f14f507291eb441630542593229d
SHA1 c8d71326d73b7ffce18fe9e64fda4943cedbf152
SHA256 19769d52a6e8818b29de15be9e9872c03dab6bc644ba6ef3001a2a788416dd0c
SHA512 c010224d8549c6a991a11a40c1c53549a0796212496f68839488c6cdb7419eb891cf467df0942059c6027aea8641c030011e3b979781041931d038593748fc04

memory/4496-1137-0x0000000000400000-0x0000000000470000-memory.dmp